Bug 40269 – Adapt SDB article about SSL certificate renewal to include SAML

Bug 40269 - Adapt SDB article about SSL certificate renewal to include SAML


Summary:	Adapt SDB article about SSL certificate renewal to include SAML

Status:	RESOLVED FIXED

Product:	Z_SDB
Classification:	Unclassified
Component:	Update needed
Version:	unspecified
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	---
Assigned To:	SDB maintainers
QA Contact:

URL:
Keywords:

Depends on:	40229
Blocks:
	Show dependency tree / graph

Reported:	2015-12-16 16:11 CET by Florian Best
Modified:	2017-03-27 12:36 CEST (History)
CC List:	7 users (show)

See Also:
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	External feedback, SAML, Troubleshooting
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2015-12-16 16:11:25 CET

We should explain the required steps for SAML in <http://sdb.univention.de/1183> and <http://sdb.univention.de/1000>.

The required steps on each identity provider are (with the default configuration):
"""
    eval "$(ucr shell domainname)"
    cp "/etc/univention/ssl/ucs-sso.${domainname}/cert.pem" "/etc/simplesamlphp/ucs-sso.${domainname}-idp-certificate.crt"
    cp "/etc/univention/ssl/ucs-sso.${domainname}/private.key" "/etc/simplesamlphp/ucs-sso.${domainname}-idp-certificate.key"
    invoke-rc.d univention-saml restart
"""

After this has been done on each IDP the required steps on each service provider are:
"""
    eval "$(ucr shell ucs/server/sso/fqdn)"
    rm /usr/share/univention-management-console/saml/idp/*.xml
    ucr set umc/saml/idp-server="https://${ucs_server_sso_fqdn}/simplesamlphp/saml2/idp/metadata.php" || echo 'Failed!'
    /etc/init.d/univention-management-console-web-server restart
    univention-run-joinscripts --force --run-scripts 92univention-management-console-web-server.inst
"""

+++ This bug was initially created as a clone of Bug #40229 +++

If a new (root CA) certificate is generated via the UMC module manual steps are required to make SAML working again:
* some joinscripts need to be reexecuted.

We should outsource the needed commands into some scripts so that it's not required to force-reexecute the joinscripts but just simply call the scripts.

As this is currently nowhere documented customers will probably run into problems when their certificates are getting renewed. We should prevent this and try to automatically do the required steps (e.g. in the SSL system-setup script?).

Comment 1 Erik Damrose

2016-11-11 12:48:30 CET

Requested again https://forum.univention.de/viewtopic.php?f=48&t=6219&p=23189

Comment 2 Michael Grandjean

2017-01-04 09:05:30 CET

The required steps on each service provider contain a typo (missing hyphen in univention-run-join-scripts). So for people coming back here to copy and paste (like me), this works better:


"""
eval "$(ucr shell ucs/server/sso/fqdn)"
rm /usr/share/univention-management-console/saml/idp/*.xml
ucr set umc/saml/idp-server="https://${ucs_server_sso_fqdn}/simplesamlphp/saml2/idp/metadata.php" || echo 'Failed!'
/etc/init.d/univention-management-console-web-server restart
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst
"""

Comment 3 Michael Grandjean

2017-03-27 12:36:30 CEST

I added this to the german and the english version of the SDB article:

* <http://sdb.univention.de/1000>
* <http://sdb.univention.de/1183>