Univention Bugzilla – Bug 40269
Adapt SDB article about SSL certificate renewal to include SAML
Last modified: 2017-03-27 12:36:30 CEST
We should explain the required steps for SAML in <http://sdb.univention.de/1183> and <http://sdb.univention.de/1000>. The required steps on each identity provider are (with the default configuration): """ eval "$(ucr shell domainname)" cp "/etc/univention/ssl/ucs-sso.${domainname}/cert.pem" "/etc/simplesamlphp/ucs-sso.${domainname}-idp-certificate.crt" cp "/etc/univention/ssl/ucs-sso.${domainname}/private.key" "/etc/simplesamlphp/ucs-sso.${domainname}-idp-certificate.key" invoke-rc.d univention-saml restart """ After this has been done on each IDP the required steps on each service provider are: """ eval "$(ucr shell ucs/server/sso/fqdn)" rm /usr/share/univention-management-console/saml/idp/*.xml ucr set umc/saml/idp-server="https://${ucs_server_sso_fqdn}/simplesamlphp/saml2/idp/metadata.php" || echo 'Failed!' /etc/init.d/univention-management-console-web-server restart univention-run-joinscripts --force --run-scripts 92univention-management-console-web-server.inst """ +++ This bug was initially created as a clone of Bug #40229 +++ If a new (root CA) certificate is generated via the UMC module manual steps are required to make SAML working again: * some joinscripts need to be reexecuted. We should outsource the needed commands into some scripts so that it's not required to force-reexecute the joinscripts but just simply call the scripts. As this is currently nowhere documented customers will probably run into problems when their certificates are getting renewed. We should prevent this and try to automatically do the required steps (e.g. in the SSL system-setup script?).
Requested again https://forum.univention.de/viewtopic.php?f=48&t=6219&p=23189
The required steps on each service provider contain a typo (missing hyphen in univention-run-join-scripts). So for people coming back here to copy and paste (like me), this works better: """ eval "$(ucr shell ucs/server/sso/fqdn)" rm /usr/share/univention-management-console/saml/idp/*.xml ucr set umc/saml/idp-server="https://${ucs_server_sso_fqdn}/simplesamlphp/saml2/idp/metadata.php" || echo 'Failed!' /etc/init.d/univention-management-console-web-server restart univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst """
I added this to the german and the english version of the SDB article: * <http://sdb.univention.de/1000> * <http://sdb.univention.de/1183>