Single Sign On setup failed (join-script fails with various errors)

Knowledge Base Supported
, ,
#1

Problem:

  • Join-script 92univention-management-console-web-server.inst fails with various Single Sign On errors.

Possible solutions:

  • If you use an external DNS-Server, where you can only configure one record, then look at SDB-Article 1352

  • If the join-script fails because you have an external DNS-server where you can configure only one record you can temporarly configure the UCS-Master as DNS-Server and rerun the join-scripts. If the join is successful you can restore the DNS-Server.

  • Is the browser able to resolve the http URI .domainname?
    Accessing the address with a browser should present a page with the Univention logo. If not, you can check, if a virtualhost-entry exists in /etc/apache2/sites-available/univention-saml and if the certificate for ucs-sso.$domainname exist.

   ls -l /etc/univention/ssl/ucs-sso* /etc/simplesamlphp/ucs-sso*
  ```-rw-r--r-- 1 root samlcgi         5445 Jan 29 12:43 /etc/simplesamlphp/ucs-sso.univention.local-idp-certificate.crt
  -rw-r----- 1 root samlcgi         1675 Jan 29 12:43 /etc/simplesamlphp/ucs-sso.univention.local-idp-certificate.key
  /etc/univention/ssl/ucs-sso.univention.local:
  insgesamt 20
  -rw-r----- 1 root DC Backup Hosts 5381 Feb 18 16:18 cert.pem
  -rw-r----- 1 root DC Backup Hosts 2797 Feb 18 16:18 openssl.cnf
  -rw-r----- 1 root DC Backup Hosts 1675 Feb 18 16:18 private.key
  -rw-r----- 1 root DC Backup Hosts 1289 Feb 18 16:18 req.pem

if not run

 univention-run-join-scripts --force --run-scripts 91univention-saml.inst```
  ucr commit /etc/apache2/sites-available/univention-saml```
  invoke-rc.d apache2 restart

  • check if the hostrecord “ucs-sso” exists and the correct ipaddress is set
    univention-ldapsearch relativeDomainName=ucs-sso
    univentionObjectType aRecord
    The univentionObjectType should return “dns/host_record” and the a record should contain the ipaddresses from the master and backupservers which have to be pingable and resolvabel.

  • If you find following curl-message in the join.log
    % Total % Received % Xferd Average Speed Time Time Time Current

                              Dload  Upload   Total   Spent    Left  Speed

^M 0 0 0 0 0 0 0 0 --:–:-- --:–:-- --:–:-- 0curl: (51)
SSL: certificate subject name ‘mdc.univention.local’ does not match target host name ‘ucs-sso.univention.local’

  • check ucr-variable ucs/server/sso/fqdn - should contain ucs-sso.univention.local
  • is the certificate in /etc/apache2/sites-enabled/univention-saml deposited
92univention-management-console-web-serverm FAIL JOIN
Nach UCS 4.2-2 (-3) Upgrade: System Fehlerdiagnose "File '/etc/univention/ssl/ucs-sso.domain.local' does not exist."
Lost CAcert.pem
Mastodon