Bug 47700 - SAML Single Sign-On issues with Let's Encrypt cert
SAML Single Sign-On issues with Let's Encrypt cert
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Jürn Brodersen
Jannik Ahlers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-08-30 14:42 CEST by Valentin Heidelberger
Modified: 2019-03-17 16:20 CET (History)
6 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.137
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support: Yes
Ticket number: 2018101521000551
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Valentin Heidelberger univentionstaff 2018-08-30 14:42:48 CEST
Working through the following sdb article results in traceback from simplesamlphp and non-working SSO: https://help.univention.com/t/configure-saml-single-sign-on-as-single-server-solution/6681

I took the following steps:
- Generate a LE cert with the LE app
- Execute sdb article:

FQDN=ucs-saml.ddns.net

cp /etc/univention/letsencrypt/signed_chain.crt /etc/simplesamlphp/ucs-saml.ddns.net-idp-certificate.crt
cp /etc/univention/letsencrypt/domain.key /etc/simplesamlphp/ucs-saml.ddns.net-idp-certificate.key
mkdir /etc/univention/ssl/$FQDN
cp /etc/univention/letsencrypt/signed_chain.crt /etc/univention/ssl/$FQDN/cert.pem
cp /etc/univention/letsencrypt/domain.key /etc/univention/ssl/$FQDN/private.key

chown root:samlcgi /etc/simplesamlphp/ucs-saml.ddns.net-idp-certificate.*

update-ca-certificates

ucr set ucs/server/sso/autoregistraton=no \
        saml/idp/entityID="https://${FQDN}/simplesamlphp/saml2/idp/metadata.php" \
        saml/idp/certificate/privatekey="/etc/simplesamlphp/${FQDN}-idp-certificate.key" \
        saml/idp/certificate/certificate="/etc/simplesamlphp/${FQDN}-idp-certificate.crt" \
        ucs/server/sso/fqdn=$FQDN \
        umc/saml/sp-server=$FQDN \
        ucs/server/sso/virtualhost=false \
        ucs/server/saml-idp-server/$FQDN=$FQDN
       
echo "ServerName $FQDN" >>/etc/apache2/ucs-sites.conf.d/servername.conf

univention-run-join-scripts --force --run-scripts 91univention-saml.inst
ucr set umc/saml/idp-server=https://${FQDN}/simplesamlphp/saml2/idp/metadata.php
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst


openssl verify on the cert works, system diagnosis doesn't throw errors either.
When opening https://ucs-saml.ddns.net/univention/saml I get the following traceback:

Backtrace:
1 /usr/share/simplesamlphp/www/_include.php:43 (SimpleSAML_exception_handler)
0 [builtin] (N/A)
Caused by: Exception: Unable to validate Signature
Backtrace:
5 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Utils.php:166 (SAML2_Utils::validateSignature)
4 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Message.php:236 (SAML2_Message::validate)
3 /usr/share/simplesamlphp/modules/saml/lib/Message.php:201 (sspmod_saml_Message::checkSign)
2 /usr/share/simplesamlphp/modules/saml/lib/Message.php:258 (sspmod_saml_Message::validateMessage)
1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:305 (sspmod_saml_IdP_SAML2::receiveAuthnRequest)
0 /usr/share/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)
Comment 1 Valentin Heidelberger univentionstaff 2018-09-04 10:38:00 CEST
It seems the joinscript 91univention-saml.inst is supposed to create the certificate and key below /etc/simplesamlphp used in the UCR vars saml/idp/certificate/*
It also seem that the cert and key used in saml/idp/certificate/* MUST be created by the UCS CA, which is probably the reason for the traceback mentioned above. 

I'm very certain the certificate creation by the join script didn't work for me before, but I couldn't reproduce that and either way it would be a separate issue. Works now -> INVALID
Comment 2 Jürn Brodersen univentionstaff 2018-10-22 18:54:37 CEST
The problem seems to be in "management/univention-management-console-frontend/usr/share/univention-management-console/saml/sp.py"

The last -----BEGIN CERTIFICATE----- ... ----END CERTIFICATE----- block from the public key is used for the service provider configuration. But for let's encrypt that is the intermediate CA from let's encrypt. For the signature the private key for the server is used, which means the public key in the sp config does not correspond to private key used to sign the saml message.
Comment 3 Jürn Brodersen univentionstaff 2018-11-06 12:03:58 CET
We should test how certificate expiration is handled. That might become a problem as well
Comment 4 Jürn Brodersen univentionstaff 2018-11-12 12:55:13 CET
(In reply to Jürn Brodersen from comment #3)
> We should test how certificate expiration is handled. That might become a
> problem as well

I checked this and it's not a problem with simplesamlphp. The simplesamlphp doesn't verify the certificate at the moment. The certificate is only used to extract the puplic key.
Comment 5 Jürn Brodersen univentionstaff 2018-11-13 11:36:37 CET
[4.3-2 0259bb2e22] Bug #47700: fix saml metadata creation for umc
[4.3-2 83704006d9] Bug #47700: Merge branch 'juern/b47700_saml_cert' into 4.3-2
[4.3-2 6bfaef93e1] Bug #47700: YAML

Package: univention-management-console
Version: 10.0.6-16A~4.3.0.201811131132
Branch: ucs_4.3-0
Scope: errata4.3-2
Comment 6 Jannik Ahlers univentionstaff 2018-11-15 15:52:23 CET
42aeb88875af | Bug #47700: Fix typo in yaml

OK: YAML (fixed typo)
OK: Code
OK: Functionality
OK: Tests
-> Verified
Comment 7 Arvid Requate univentionstaff 2018-12-05 14:39:15 CET
<http://errata.software-univention.de/ucs/4.3/350.html>