Univention Corporate Server (UCS)

ID #1352

Configure SAML Single Sign-On as single server solution

Produktlogo UCS UCS 4
Problem

The default UCS Single Sign-On setup consists of an additional DNS Record that is shared between master and backup servers to provide a failsafe setup.
That default DNS Record is ucs-sso.<domainname>.
In certain setups, e.g. when operating UCS in a cloud scenario, only one external DNS Record is available for a server.

Solution

The following commands have to be executed to configure the single sign-on identity provider for a different DNS Record.

FQDN=externaldns.ucsmaster.example

ucr set ucs/server/sso/autoregistraton=no \
        saml/idp/entityID="https://${FQDN}/simplesamlphp/saml2/idp/metadata.php" \
        saml/idp/certificate/privatekey="/etc/simplesamlphp/${FQDN}-idp-certificate.key" \
        saml/idp/certificate/certificate="/etc/simplesamlphp/${FQDN}-idp-certificate.crt" \
        ucs/server/sso/fqdn=$FQDN \
        umc/saml/sp-server=$FQDN \
        ucs/server/sso/virtualhost=false \
        apache2/ssl/certificate=/etc/univention/ssl/${FQDN}/cert.pem \
        apache2/ssl/key=/etc/univention/ssl/${FQDN}/private.key
       
echo "ServerName $FQDN" >>/etc/apache2/ucs-sites.conf.d/servername.conf

univention-run-join-scripts --force --run-scripts 91univention-saml.inst
ucr set umc/saml/idp-server=https://${FQDN}/simplesamlphp/saml2/idp/metadata.php
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst

The server can now be accessed by its external DNS Name, in this example https://externaldns.ucsmaster.example.

Warning

This configuration will enable an apache wide suexec configuration for the single sign-on. Webpages and Apps that require cgi scripts to be executed will run into problems, check /var/log/apache2/suexec.log. These programs need to be adapted seperately.

Tags: SAML, Single Sign-On, SSO, UCS 4.1

Related entries:

Last update: 2017-03-29 12:39
Author: Erik Damrose
Revision: 1.3

Digg it! Share on Facebook Print this record Send FAQ to a friend Show this as PDF file
Please rate this FAQ:

Average rating: 0 (0 Votes)

completely useless 1 2 3 4 5 most valuable

You cannot comment on this entry