Description Erik Damrose 2022-09-13 18:59:30 CEST

Our Single Sign On setup with simplesamlphp can be reconfigured, as is for example described here:

https://help.univention.com/t/6681

If the SSO FQDN is changed from the default, one scenario does not work anymore:

Users can set their password on the SSO loginpage, if a password change is required at the next login. The password change request is done from our simplesamlphp theme in PHP. The request is done against the configured `hostfqdn` config option, which is currently hardcoded to UCR $hostname.$domainname.

If the SSO configuration has been changed, the password change will fail, and the syslog will show:

Sep  7 11:19:32 srv31672 simplesamlphp[1351]: 4 [e37b3df9e4] Error: SSL: no alternative certificate subject name matches target host name 'orig-hostname.domainname'
Sep  7 11:19:32 srv31672 simplesamlphp[1351]: 7 [e37b3df9e4] Password changing response: array (

The issue is, that by reconfiguring SSO, only the external apache2 virtualhost is available to access simplesamlphp, and the cert does not match (from the perspective of PHP, which uses the `hostfqdn` option).

Workaround: Copy /etc/apache2/sites-available/univention-saml.conf, edit it manually to provide a simplesamlphp VirtualHost for the UCR $hostname.domainname FQDN, with a matching SSL cert from /etc/univention/ssl/$hostname.$domainname. The apache2 conf has to be enabled and apache2 restarted.