Univention Bugzilla – Bug 39564
Recognize SAML assertion and redirect to SSO login
Last modified: 2016-04-29 10:43:35 CEST
The UMC login should recognize if the user has already a SAML assertion and redirect automatically to the SSO page. Scenario: 1. open UMC on the master 2. click on the SSO button 3. login 4. do some stuff in UMC 5. open a new browser tab and open UMC on the backup 6. the user is directly in UMC
There is currently a race condition as the cookie is exchanged during renewal of the SAML session.
(In reply to Florian Best from comment #1) > There is currently a race condition as the cookie is exchanged during > renewal of the SAML session. → fixed This has been implemented. A timeout of 3 seconds has been added, If SSO takes longer the request is aborted and the regular login dialog can be used.
It works with Chrome but not with Firefox at least with Firefox 41.0.2. I've created a new firefox profile for my test case. The console output: unreachable code after return statement dojo.js.uncompressed.js:5836:3 Synchrone XMLHttpRequests am Haupt-Thread sollte nicht mehr verwendet werden, weil es nachteilige Effekte für das Erlebnis der Endbenutzer hat. Für weitere Hilfe siehe http://xhr.spec.whatwg.org/ dojo.js.uncompressed.js:324:0 gfx renderer = svg dojo.js.uncompressed.js:18210:5 EXPERIMENTAL: dojox.timing -- APIs subject to change without notice. dojo.js.uncompressed.js:84853:4 EXPERIMENTAL: dojox.grid.EnhancedGrid -- APIs subject to change without notice. dojo.js.uncompressed.js:84853:4 EXPERIMENTAL: dojox.widget.Standby -- APIs subject to change without notice. dojo.js.uncompressed.js:84853:4 WARNING: Modules being Auto-Required: umc/app/SingleSignOn dojo.js.uncompressed.js:95345:1 getAttributeNode() sollte nicht mehr verwendet werden. Verwenden Sie stattdessen getAttribute(). dojo.js.uncompressed.js:16884:0 POST XHR https://10.201.44.2/univention-management-console/get/session-info [HTTP/1.1 401 Unauthorized 9ms] default ss created: CSSStyleSheet { ownerRule: null, cssRules: CSSRuleList[0], type: "text/css", href: null, ownerNode: <style>, parentStyleSheet: null, title: "", media: MediaList[0], disabled: false } dojo.js.uncompressed.js:33563:5 insertRule: .umcBackground {background: inherit!important;} dojo.js.uncompressed.js:33442:3 Konnte den Identity Provider zum automatisch Single Sign-On nicht erreichen. dojo.js.uncompressed.js:81167:5 Object { message: "Unable to load /univention-manageme…", stack: ".cache["dojo/errors/create"]/</</Er…", response: Object } dojo.js.uncompressed.js:81165:5
Its unclear to me if the following behaviour is due to this implementation, but upon entering the login screen the http warning is first shown and subsequently disappears (due to a reload?)
(In reply to Erik Damrose from comment #4) > Its unclear to me if the following behaviour is due to this implementation, > but upon entering the login screen the http warning is first shown and > subsequently disappears (due to a reload?) No, a reload doesn't help. In Firefox it works directly if I click on the Single-Sign-On button.
What i observe happens automatically, i do not click anything after browsing to /umc. The insecure connection warning appears and retracts under the login box
Autologin via Firefox has been fixed. Displaying of the "insecure connection"-warning via HTTP has also been fixed.
Bug #39605 must be fixed first. Currently, the SSO link is in my test environment always disabled.
Yes, it works with Firefox, Chrome and MS Edge. Tested on Master, Backup, Slave and Member.
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".
*** Bug 38583 has been marked as a duplicate of this bug. ***