Bug 54813 - Regression, self-service no longer works on single sign on page
Regression, self-service no longer works on single sign on page
Status: NEW
Product: UCS
Classification: Unclassified
Component: Self Service
UCS 5.0
Other Linux
: P5 normal (vote)
: ---
Assigned To: UMC maintainers
UMC maintainers
Depends on:
  Show dependency treegraph
Reported: 2022-06-02 10:24 CEST by Horace
Modified: 2023-08-26 23:18 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.046
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Horace 2022-06-02 10:24:39 CEST
You are no longer able to access self-service from the ucs-sso subdomain. Any attempts results in the portal being temporarily unavailable. And I'm not quite sure when this began not to work when I happened to test it a couple of days ago.

How to reproduce:

1. Install UCS 5.0
2. Update packages and UCS to the latest errata.
3. Set UCS auth to SAML
4. Logout
5. Click on forget password.


Portal is temporarily unavailable.


See forget password form.


Added ProxyPassMatch /univention/selfservice/(.*)$0 retry=0 to the virtualhost 443 section in /etc/apache2/sites-available/univention-saml.conf.
Comment 1 Florian Best univentionstaff 2022-06-03 19:54:17 CEST
Hello, thank you for your feedback.
Unfortionately, it was never intended that the self-service works on ucs-sso.$domainname - this worked only accidentally as we need parts of the /univention/ scope also for the SAML login page.
Comment 2 stuckenbroeker 2023-06-01 12:05:58 CEST
Noted same behaviour on upgrade from 4.4-9 to 5.0-3, seems to be due to change of self service URL. Fix should IMHO be done in template for /etc/apache2/sso-vhost.conf.d/01redirect.conf line 9, add |selfservice in rewrite condition to get 4.4 compatible behavior or use UCR variables to overwrite URL for absolute URL to your portal FQDN (see https://forge.univention.org/bugzilla/show_bug.cgi?id=55098)
Comment 3 Mirac Erdemiroglu univentionstaff 2023-06-03 16:53:12 CEST
Customer affected Ticket#2023060121000093
UCS 5.0-3

The password forgotten link will be created wrong, if you are using SSO and update your system from UCS 4.4-9 to latest UCS 5.0-x

Possible Workaround for that:

Edit the template, it looks like there is missing |selfservice|



RewriteCond %%{REQUEST_URI} ^/univention/(login|management|self-service|portal|server-overview)/$
Comment 4 Horace 2023-08-26 23:18:19 CEST
This just hit me again today and I have forgotten about this bug report. I am very confused about the outcome of this ticket. What _is_ the proper fix here? And if https://forge.univention.org/bugzilla/show_bug.cgi?id=54813#c3 is the fix, why hasn't it been implemented? This is a fresh install of UCS 5.0 with self-service installed. With UCR passwordreset enabled. You have 'Forgot your password?' pointing to'https://ucs-sso.idp.domain.net/univention/selfservice/#/selfservice/passwordforgotten'.  How is it supposed to work out of the box? It seems to me the accident isn't completely fixed.