Univention Bugzilla – Bug 47700
SAML Single Sign-On issues with Let's Encrypt cert
Last modified: 2022-04-21 15:15:33 CEST
Working through the following sdb article results in traceback from simplesamlphp and non-working SSO: https://help.univention.com/t/configure-saml-single-sign-on-as-single-server-solution/6681 I took the following steps: - Generate a LE cert with the LE app - Execute sdb article: FQDN=ucs-saml.ddns.net cp /etc/univention/letsencrypt/signed_chain.crt /etc/simplesamlphp/ucs-saml.ddns.net-idp-certificate.crt cp /etc/univention/letsencrypt/domain.key /etc/simplesamlphp/ucs-saml.ddns.net-idp-certificate.key mkdir /etc/univention/ssl/$FQDN cp /etc/univention/letsencrypt/signed_chain.crt /etc/univention/ssl/$FQDN/cert.pem cp /etc/univention/letsencrypt/domain.key /etc/univention/ssl/$FQDN/private.key chown root:samlcgi /etc/simplesamlphp/ucs-saml.ddns.net-idp-certificate.* update-ca-certificates ucr set ucs/server/sso/autoregistraton=no \ saml/idp/entityID="https://${FQDN}/simplesamlphp/saml2/idp/metadata.php" \ saml/idp/certificate/privatekey="/etc/simplesamlphp/${FQDN}-idp-certificate.key" \ saml/idp/certificate/certificate="/etc/simplesamlphp/${FQDN}-idp-certificate.crt" \ ucs/server/sso/fqdn=$FQDN \ umc/saml/sp-server=$FQDN \ ucs/server/sso/virtualhost=false \ ucs/server/saml-idp-server/$FQDN=$FQDN echo "ServerName $FQDN" >>/etc/apache2/ucs-sites.conf.d/servername.conf univention-run-join-scripts --force --run-scripts 91univention-saml.inst ucr set umc/saml/idp-server=https://${FQDN}/simplesamlphp/saml2/idp/metadata.php univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst openssl verify on the cert works, system diagnosis doesn't throw errors either. When opening https://ucs-saml.ddns.net/univention/saml I get the following traceback: Backtrace: 1 /usr/share/simplesamlphp/www/_include.php:43 (SimpleSAML_exception_handler) 0 [builtin] (N/A) Caused by: Exception: Unable to validate Signature Backtrace: 5 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Utils.php:166 (SAML2_Utils::validateSignature) 4 /usr/share/simplesamlphp/vendor/simplesamlphp/saml2/src/SAML2/Message.php:236 (SAML2_Message::validate) 3 /usr/share/simplesamlphp/modules/saml/lib/Message.php:201 (sspmod_saml_Message::checkSign) 2 /usr/share/simplesamlphp/modules/saml/lib/Message.php:258 (sspmod_saml_Message::validateMessage) 1 /usr/share/simplesamlphp/modules/saml/lib/IdP/SAML2.php:305 (sspmod_saml_IdP_SAML2::receiveAuthnRequest) 0 /usr/share/simplesamlphp/www/saml2/idp/SSOService.php:19 (N/A)
It seems the joinscript 91univention-saml.inst is supposed to create the certificate and key below /etc/simplesamlphp used in the UCR vars saml/idp/certificate/* It also seem that the cert and key used in saml/idp/certificate/* MUST be created by the UCS CA, which is probably the reason for the traceback mentioned above. I'm very certain the certificate creation by the join script didn't work for me before, but I couldn't reproduce that and either way it would be a separate issue. Works now -> INVALID
The problem seems to be in "management/univention-management-console-frontend/usr/share/univention-management-console/saml/sp.py" The last -----BEGIN CERTIFICATE----- ... ----END CERTIFICATE----- block from the public key is used for the service provider configuration. But for let's encrypt that is the intermediate CA from let's encrypt. For the signature the private key for the server is used, which means the public key in the sp config does not correspond to private key used to sign the saml message.
We should test how certificate expiration is handled. That might become a problem as well
(In reply to Jürn Brodersen from comment #3) > We should test how certificate expiration is handled. That might become a > problem as well I checked this and it's not a problem with simplesamlphp. The simplesamlphp doesn't verify the certificate at the moment. The certificate is only used to extract the puplic key.
[4.3-2 0259bb2e22] Bug #47700: fix saml metadata creation for umc [4.3-2 83704006d9] Bug #47700: Merge branch 'juern/b47700_saml_cert' into 4.3-2 [4.3-2 6bfaef93e1] Bug #47700: YAML Package: univention-management-console Version: 10.0.6-16A~4.3.0.201811131132 Branch: ucs_4.3-0 Scope: errata4.3-2
42aeb88875af | Bug #47700: Fix typo in yaml OK: YAML (fixed typo) OK: Code OK: Functionality OK: Tests -> Verified
<http://errata.software-univention.de/ucs/4.3/350.html>