Univention Bugzilla – Bug 45537
Office 365 service provider metadata configuration should be replicated to all ucs-sso systems
Last modified: 2018-08-21 10:08:55 CEST
Observed behaviour: The SAML SSO metadata for a service provider (e.g. (/etc/simplesamlphp/metadata.include/univention-office365.php) for the Office 365 Connector App) is only present on the UCS Master. When using the "ucs-sso" DNS record to perform a SAML-login, the UCS Master *or* one of the existing UCS Backups delivers the login page. Unfortunately, all UCS Backups will complain that the SAML metadata configuration is missing and show a simplesamlphp error message. Expected behaviour: The SAML SSO metadata for a service provider is somehow replicated to all systems that are responsible for "ucs-sso". This way all systems behind "ucs-sso" can actually perform the SAML SSO Login for service providers such as Office 365.
(In reply to Michael Grandjean from comment #0) > Observed behaviour: > The SAML SSO metadata for a service provider (e.g. > (/etc/simplesamlphp/metadata.include/univention-office365.php) for the > Office 365 Connector App) is only present on the UCS Master. No, that is wrong. > When using the "ucs-sso" DNS record to perform a SAML-login, the UCS Master > *or* one of the existing UCS Backups delivers the login page. Yes. > Unfortunately, all UCS Backups will complain that the SAML metadata configuration is > missing and show a simplesamlphp error message. Which error message? > Expected behaviour: > The SAML SSO metadata for a service provider is somehow replicated to all > systems that are responsible for "ucs-sso". This way all systems behind > "ucs-sso" can actually perform the SAML SSO Login for service providers such > as Office 365. This is already the case because the listener module is also installed on the DC Backup. dpkg -L univention-saml-schema → /usr/lib/univention-directory-listener/system/univention-saml-servers.py Maybe this is a bug in the Office 365 SAML implementation?
945eafb6 univention-office365 2.0.0-8A~4.3.0.201807181631 * Replicate SAML metadata to all SSO servers by storing it in LDAP * Store values for UCRv saml/idp/ldap/get_attributes for the app in LDAP Requires u-saml packages from bug #47309
Please make univention-office365 depend on "univention-saml (>= 5.0.4-23)". It may even have to be "Predepend", so that schema, listener module etc have all been configured... not sure.
I think it is ok to add it as Depends, not Pre-Depends. I will add the required erratalevel to the new app version in bug #47379. That way, the package will have to be installed before the app update is possible. 101f4d4e Add dependency to required univention-saml version univention-office365 2.0.0-9A~4.3.0.201807241141
OK: metadate document is replicated to master and backups OK: manual functional test: - installed office365 app on dc backup (see Bug #45508) -> the metadata was replicated to the dc master - ran wizard, stopped dc master, set ucs-sso.domain to point to both IPs - logged in to office365 through dc backups portal link -> works - started dc master and stopped dc backup - logged in to office365 through dc masters portal link -> works - started dc backup - could login through both portals
App Update released