Univention Bugzilla – Bug 55203
simplesamlphp option hostfqdn not configurable, password change on SSO login page not possible
Last modified: 2023-07-26 14:55:45 CEST
Our Single Sign On setup with simplesamlphp can be reconfigured, as is for example described here: https://help.univention.com/t/6681 If the SSO FQDN is changed from the default, one scenario does not work anymore: Users can set their password on the SSO loginpage, if a password change is required at the next login. The password change request is done from our simplesamlphp theme in PHP. The request is done against the configured `hostfqdn` config option, which is currently hardcoded to UCR $hostname.$domainname. If the SSO configuration has been changed, the password change will fail, and the syslog will show: Sep 7 11:19:32 srv31672 simplesamlphp[1351]: 4 [e37b3df9e4] Error: SSL: no alternative certificate subject name matches target host name 'orig-hostname.domainname' Sep 7 11:19:32 srv31672 simplesamlphp[1351]: 7 [e37b3df9e4] Password changing response: array ( The issue is, that by reconfiguring SSO, only the external apache2 virtualhost is available to access simplesamlphp, and the cert does not match (from the perspective of PHP, which uses the `hostfqdn` option). Workaround: Copy /etc/apache2/sites-available/univention-saml.conf, edit it manually to provide a simplesamlphp VirtualHost for the UCR $hostname.domainname FQDN, with a matching SSL cert from /etc/univention/ssl/$hostname.$domainname. The apache2 conf has to be enabled and apache2 restarted.
06296c44e2 | simplesamlphp option hostfqdn not configurable
OK univention-saml.yaml
<https://errata.software-univention.de/#/?erratum=5.0x753>