Univention Bugzilla – Full Text Bug Listing |
Summary: | SAML Single Sign-On issues with Let's Encrypt cert | ||
---|---|---|---|
Product: | UCS | Reporter: | Valentin Heidelberger <heidelberger> |
Component: | SAML | Assignee: | Jürn Brodersen <brodersen> |
Status: | CLOSED FIXED | QA Contact: | Jannik Ahlers <ahlers> |
Severity: | normal | ||
Priority: | P5 | CC: | best, brodersen, damrose, gulden, michelsmidt, requate, scheinig |
Version: | UCS 4.3 | ||
Target Milestone: | UCS 4.3-2-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=54567 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 4: Minor Usability: Impairs usability in secondary scenarios |
Who will be affected by this bug?: | 2: Will only affect a few installed domains | How will those affected feel about the bug?: | 3: A User would likely not purchase the product |
User Pain: | 0.137 | Enterprise Customer affected?: | |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Yes | Flags outvoted (downgraded) after PO Review: | |
Ticket number: | 2018101521000551 | Bug group (optional): | |
Max CVSS v3 score: |
Description
Valentin Heidelberger
2018-08-30 14:42:48 CEST
It seems the joinscript 91univention-saml.inst is supposed to create the certificate and key below /etc/simplesamlphp used in the UCR vars saml/idp/certificate/* It also seem that the cert and key used in saml/idp/certificate/* MUST be created by the UCS CA, which is probably the reason for the traceback mentioned above. I'm very certain the certificate creation by the join script didn't work for me before, but I couldn't reproduce that and either way it would be a separate issue. Works now -> INVALID The problem seems to be in "management/univention-management-console-frontend/usr/share/univention-management-console/saml/sp.py" The last -----BEGIN CERTIFICATE----- ... ----END CERTIFICATE----- block from the public key is used for the service provider configuration. But for let's encrypt that is the intermediate CA from let's encrypt. For the signature the private key for the server is used, which means the public key in the sp config does not correspond to private key used to sign the saml message. We should test how certificate expiration is handled. That might become a problem as well (In reply to Jürn Brodersen from comment #3) > We should test how certificate expiration is handled. That might become a > problem as well I checked this and it's not a problem with simplesamlphp. The simplesamlphp doesn't verify the certificate at the moment. The certificate is only used to extract the puplic key. [4.3-2 0259bb2e22] Bug #47700: fix saml metadata creation for umc [4.3-2 83704006d9] Bug #47700: Merge branch 'juern/b47700_saml_cert' into 4.3-2 [4.3-2 6bfaef93e1] Bug #47700: YAML Package: univention-management-console Version: 10.0.6-16A~4.3.0.201811131132 Branch: ucs_4.3-0 Scope: errata4.3-2 42aeb88875af | Bug #47700: Fix typo in yaml OK: YAML (fixed typo) OK: Code OK: Functionality OK: Tests -> Verified |