Univention Bugzilla – Bug 48198
Joinscript 92univention-management-console-web-server.inst does not (re-)download metadata if executed again
Last modified: 2019-03-27 13:29:25 CET
When setting UCRv umc/saml/idp-server a UCR module (re-)downloads the metadata in the URL given as parameter. In the joinscript the value is only set conditionally. So force-executing the joinscript does not redownload the metadata. If
* The metadata at the given URL changes
* Or UCRv ucs/server/sso/fqdn changes (the default value is derived from this)
The UMC will not update its metadata and logins with a valid SAML session will fail with an error in umc-web-server.log:
SamlError: 500 The issuer 'None' is now known to the SAML service provider. This is probably a misconfiguration and might be resolved by restarting the univention-management-console-web-server.
ucr unset umc/saml/idp-server
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst
Possible fix: Always set the UCRv while deleting any already downloaded metadata XML files.
Created attachment 9753 [details]
Patch for proposed fix
(In reply to Erik Damrose from comment #1)
> Created attachment 9753 [details]
> Patch for proposed fix
Okay, it's probably okay to always set the UCR variable.
It is just an unnecessary step if we change the joinscript to do something else and might cause more join error feedbacks. But let's hope most systems have a robust state.
87e640f3 Always download IdP metadata when executing joinscript 92univention-management-console-web-server.inst
OK: everything works perfect, even force-running the joinscript in a UMC session while being logged in via SAML.