Bug 46576 – Several browsers: Fallback to saml/ldap only after browser password popup

Bug 46576 - Several browsers: Fallback to saml/ldap only after browser password popup


Summary:	Several browsers: Fallback to saml/ldap only after browser password popup

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	SAML
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.3
Assigned To:	Erik Damrose
QA Contact:	Jürn Brodersen

URL:
Keywords:	interim-4

Depends on:
Blocks:	46579 47242
	Show dependency tree / graph

Reported:	2018-03-09 16:14 CET by Erik Damrose
Modified:	2018-06-25 13:35 CEST (History)
CC List:	0 users

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.103
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
credentials popup (16.88 KB, image/png) 2018-03-09 16:14 CET, Erik Damrose	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Erik Damrose

2018-03-09 16:14:34 CET

Created attachment 9458 [details]
credentials popup

The negotiate module used in simplesamlphp supports a fallback mode if no kerberos ticket is presented by the browser.

When using Chrome (65.0.3325.146), a popup asking for credentials is shown instead. When clicking cancel, the fallback login page for single sign-can be accessed.

Workaround: deactivate saml/kerberos: ucr set saml/idp/authsource=univention-ldap

Comment 1 Erik Damrose

2018-03-09 16:19:11 CET

Also with internet explorer 11

Comment 2 Erik Damrose

2018-03-09 16:39:12 CET

Also a problem with MS Edge.

Only firefox works without an extra popup

Comment 3 Erik Damrose

2018-03-09 16:39:57 CET

Tested on windows computers joined into a samba4 domain

Comment 4 Erik Damrose

2018-03-09 17:35:28 CET

As discussed, we set the default to the old ldap auth method with

ucr set saml/idp/authsource?univention-ldap

I adapted the UCRv description

d0b9cfbd Change auth default module to univention-ldap
univention-saml 5.0.4-17A~4.3.0.201803091732
fca74bbc changelog

Comment 5 Jürn Brodersen

2018-03-09 18:21:31 CET

Changes OK
Changelog OK

Comment 6 Stefan Gohmann

2018-03-14 14:38:49 CET

UCS 4.3 has been released:
 https://docs.software-univention.de/release-notes-4.3-0-en.html
 https://docs.software-univention.de/release-notes-4.3-0-de.html

If this error occurs again, please use "Clone This Bug".