Bug 48198 - Joinscript 92univention-management-console-web-server.inst does not (re-)download metadata if executed again
Joinscript 92univention-management-console-web-server.inst does not (re-)down...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.4-0-errata
Assigned To: Erik Damrose
Florian Best
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-11-23 13:12 CET by Erik Damrose
Modified: 2019-03-27 13:29 CET (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.143
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2018110921000435
Bug group (optional):
Max CVSS v3 score:


Attachments
Patch for proposed fix (974 bytes, patch)
2018-11-23 13:12 CET, Erik Damrose
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2018-11-23 13:12:01 CET
When setting UCRv umc/saml/idp-server a UCR module (re-)downloads the metadata in the URL given as parameter. In the joinscript the value is only set conditionally. So force-executing the joinscript does not redownload the metadata. If
* The metadata at the given URL changes
* Or UCRv ucs/server/sso/fqdn changes (the default value is derived from this)

The UMC will not update its metadata and logins with a valid SAML session will fail with an error in umc-web-server.log:

SamlError: 500 The issuer 'None' is now known to the SAML service provider. This is probably a misconfiguration and might be resolved by restarting the univention-management-console-web-server.

Workaround:
ucr unset umc/saml/idp-server
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst

Possible fix: Always set the UCRv while deleting any already downloaded metadata XML files.
Comment 1 Erik Damrose univentionstaff 2018-11-23 13:12:39 CET
Created attachment 9753 [details]
Patch for proposed fix
Comment 2 Florian Best univentionstaff 2019-03-12 17:04:43 CET
(In reply to Erik Damrose from comment #1)
> Created attachment 9753 [details]
> Patch for proposed fix
Okay, it's probably okay to always set the UCR variable.
It is just an unnecessary step if we change the joinscript to do something else and might cause more join error feedbacks. But let's hope most systems have a robust state.
Comment 3 Erik Damrose univentionstaff 2019-03-13 16:26:30 CET
87e640f3 Always download IdP metadata when executing joinscript 92univention-management-console-web-server.inst
e11ca5ac yaml

univention-management-console 11.0.4-4A~4.4.0.201903131620
Comment 4 Florian Best univentionstaff 2019-03-15 16:54:20 CET
OK: everything works perfect, even force-running the joinscript in a UMC session while being logged in via SAML.
OK: YAML
Comment 5 Arvid Requate univentionstaff 2019-03-27 13:29:25 CET
<http://errata.software-univention.de/ucs/4.4/25.html>