Bug 39564 - Recognize SAML assertion and redirect to SSO login
Recognize SAML assertion and redirect to SSO login
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1
Assigned To: Florian Best
Stefan Gohmann
: interim-2
: 38583 (view as bug list)
Depends on: 39605
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-15 16:01 CEST by Stefan Gohmann
Modified: 2016-04-29 10:43 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2015-10-15 16:01:02 CEST
The UMC login should recognize if the user has already a SAML assertion and redirect automatically to the SSO page.

Scenario:
1. open UMC on the master
2. click on the SSO button
3. login
4. do some stuff in UMC
5. open a new browser tab and open UMC on the backup
6. the user is directly in UMC
Comment 1 Florian Best univentionstaff 2015-10-19 13:10:05 CEST
There is currently a race condition as the cookie is exchanged during renewal of the SAML session.
Comment 2 Florian Best univentionstaff 2015-10-19 17:35:27 CEST
(In reply to Florian Best from comment #1)
> There is currently a race condition as the cookie is exchanged during
> renewal of the SAML session.
→ fixed

This has been implemented. A timeout of 3 seconds has been added, If SSO takes longer the request is aborted and the regular login dialog can be used.
Comment 3 Stefan Gohmann univentionstaff 2015-10-23 13:30:51 CEST
It works with Chrome but not with Firefox at least with Firefox 41.0.2. I've created a new firefox profile for my test case.

The console output:

unreachable code after return statement dojo.js.uncompressed.js:5836:3
Synchrone XMLHttpRequests am Haupt-Thread sollte nicht mehr verwendet werden, weil es nachteilige Effekte für das Erlebnis der Endbenutzer hat. Für weitere Hilfe siehe http://xhr.spec.whatwg.org/ dojo.js.uncompressed.js:324:0
gfx renderer = svg dojo.js.uncompressed.js:18210:5
EXPERIMENTAL: dojox.timing -- APIs subject to change without notice. dojo.js.uncompressed.js:84853:4
EXPERIMENTAL: dojox.grid.EnhancedGrid -- APIs subject to change without notice. dojo.js.uncompressed.js:84853:4
EXPERIMENTAL: dojox.widget.Standby -- APIs subject to change without notice. dojo.js.uncompressed.js:84853:4
WARNING: Modules being Auto-Required: umc/app/SingleSignOn dojo.js.uncompressed.js:95345:1
getAttributeNode() sollte nicht mehr verwendet werden. Verwenden Sie stattdessen getAttribute(). dojo.js.uncompressed.js:16884:0
POST 
XHR 
https://10.201.44.2/univention-management-console/get/session-info [HTTP/1.1 401 Unauthorized 9ms]
default  ss created:  CSSStyleSheet { ownerRule: null, cssRules: CSSRuleList[0], type: "text/css", href: null, ownerNode: <style>, parentStyleSheet: null, title: "", media: MediaList[0], disabled: false } dojo.js.uncompressed.js:33563:5
insertRule: .umcBackground {background: inherit!important;} dojo.js.uncompressed.js:33442:3
Konnte den Identity Provider zum automatisch Single Sign-On nicht erreichen. dojo.js.uncompressed.js:81167:5
Object { message: "Unable to load /univention-manageme…", stack: ".cache["dojo/errors/create"]/</</Er…", response: Object } dojo.js.uncompressed.js:81165:5
Comment 4 Erik Damrose univentionstaff 2015-10-23 13:48:57 CEST
Its unclear to me if the following behaviour is due to this implementation, but upon entering the login screen the http warning is first shown and subsequently disappears (due to a reload?)
Comment 5 Stefan Gohmann univentionstaff 2015-10-23 13:56:45 CEST
(In reply to Erik Damrose from comment #4)
> Its unclear to me if the following behaviour is due to this implementation,
> but upon entering the login screen the http warning is first shown and
> subsequently disappears (due to a reload?)

No, a reload doesn't help. In Firefox it works directly if I click on the Single-Sign-On button.
Comment 6 Erik Damrose univentionstaff 2015-10-23 14:02:58 CEST
What i observe happens automatically, i do not click anything after browsing to /umc. The insecure connection warning appears and retracts under the login box
Comment 7 Florian Best univentionstaff 2015-10-30 12:59:10 CET
Autologin via Firefox has been fixed.
Displaying of the "insecure connection"-warning via HTTP has also been fixed.
Comment 8 Stefan Gohmann univentionstaff 2015-10-31 10:52:01 CET
Bug #39605 must be fixed first. Currently, the SSO link is in my test environment always disabled.
Comment 9 Stefan Gohmann univentionstaff 2015-11-03 16:03:41 CET
Yes, it works with Firefox, Chrome and MS Edge. Tested on Master, Backup, Slave and Member.
Comment 10 Stefan Gohmann univentionstaff 2015-11-17 12:11:38 CET
UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".
Comment 11 Jürn Brodersen univentionstaff 2016-04-29 10:43:35 CEST
*** Bug 38583 has been marked as a duplicate of this bug. ***