Bug 39605 – Show SSO link only if ucs-sso is reachable

Bug 39605 - Show SSO link only if ucs-sso is reachable


Summary:	Show SSO link only if ucs-sso is reachable

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1
Assigned To:	Florian Best
QA Contact:	Stefan Gohmann

URL:
Keywords:	interim-2

Depends on:
Blocks:	39564 39606 39975
	Show dependency tree / graph

Reported:	2015-10-21 06:36 CEST by Stefan Gohmann
Modified:	2015-11-17 12:12 CET (History)
CC List:	0 users

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2015-10-21 06:36:02 CEST

The Single Sign On link should only be shown if the configured identity provider, for example ucs-sso, can be reached by the browser.

If the identity provider can't be reached, the link should go to a SDB article:
 http://sdb.univention.de/1351

Maybe the link should be visible as broken for example crossed out.

Comment 1 Florian Best

2015-10-28 15:40:59 CET

done!

Comment 2 Florian Best

2015-10-29 19:09:34 CET

This only works on a DC Master/DC Backup because the UCR variable ucs/server/sso/fqdn is not set on a DC Slave/Memberserver.

Comment 3 Stefan Gohmann

2015-10-31 10:56:41 CET

Strange, on my test system the SSO link is disabled if I use https and it is enabled if I use http:

OK → http://10.201.44.1/univention-management-console/
FAIL → https://10.201.44.1/univention-management-console/

Comment 4 Florian Best

2015-10-31 13:23:23 CET

I changed the request so that it uses the same protocol.

Comment 5 Stefan Gohmann

2015-11-02 07:24:43 CET

I've started with a new firefox profile. On master and backup it looks good but on a member server I see the following message:

Quellübergreifende (Cross-Origin) Anfrage blockiert: Die Gleiche-Quelle-Regel verbietet das Lesen der externen Ressource auf http://ucs-sso.deadlock44.intranet/simplesamlphp/blank.json. (Grund: CORS-Kopfzeile 'Access-Control-Allow-Origin' stimmt nicht mit 'http://10.201.44.1' überein).

I see the same problem with Microsoft Edge (Windows 10) and Chromium 45.

Comment 6 Florian Best

2015-11-03 12:28:32 CET

(In reply to Stefan Gohmann from comment #5)
> I've started with a new firefox profile. On master and backup it looks good
> but on a member server I see the following message:
> 
> Quellübergreifende (Cross-Origin) Anfrage blockiert: Die
> Gleiche-Quelle-Regel verbietet das Lesen der externen Ressource auf
> http://ucs-sso.deadlock44.intranet/simplesamlphp/blank.json. (Grund:
> CORS-Kopfzeile 'Access-Control-Allow-Origin' stimmt nicht mit
> 'http://10.201.44.1' überein).
> 
> I see the same problem with Microsoft Edge (Windows 10) and Chromium 45.
yes, this was because the response was cached. Caching is now prevented.

Comment 7 Stefan Gohmann

2015-11-03 16:02:31 CET

It works. I've tested it with various browser. If https is used, the certificate must be accepted first.

Comment 8 Stefan Gohmann

2015-11-17 12:12:17 CET

UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".