Bug 44217 – Login redirection loop

Bug 44217 - Login redirection loop


Summary:	Login redirection loop

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.2-0-errata
Assigned To:	Florian Best
QA Contact:	Richard Ulmer

URL:
Keywords:

Duplicates:	44453 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-04-03 09:44 CEST by Sönke Schwardt-Krummrich
Modified:	2017-06-15 17:58 CEST (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	6: Setup Problem: Issue for the setup process
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.343
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Screenshot (250.22 KB, image/png) 2017-04-25 13:12 CEST, Florian Best	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sönke Schwardt-Krummrich

2017-04-03 09:44:03 CEST

A partner added 
10.200.18.12  myucs   ucs-6529.foo.intranet  ucs-sso.foo.intranet
to /etc/hosts on local client. When trying to connect to https://myucs/umc/ there is a redirection loop between several login pages. 
If https://ucs-6529.foo.intranet/… is used, there is no problem. 

Could this lead to problems if additional CNAMEs/A/AAAA records are used for UCS systems that are e.g. located in a DMZ?

Comment 1 Sönke Schwardt-Krummrich

2017-04-03 09:44:34 CEST

The affected system has been updated from UCS 4.1 to UCS 4.2.

Comment 2 Alexander Kläser

2017-04-03 10:59:53 CEST

The problem might also be an effect of ongoing 4.2 development. I experienced a similar issue as my browser had cached some JS code which had been adapted some time between RC and final release.

Comment 3 Florian Best

2017-04-18 16:24:39 CEST

Is slapd, stunnel and memcache correctly running?

Comment 4 Florian Best

2017-04-24 09:37:22 CEST

*** Bug 44453 has been marked as a duplicate of this bug. ***

Comment 5 Stefan Gohmann

2017-04-25 05:53:57 CEST

(In reply to Florian Best from comment #4)
> *** Bug 44453 has been marked as a duplicate of this bug. ***

For me Bug #44453 is part of the setup process, so I'll increase the importance.

Comment 6 Florian Best

2017-04-25 13:12:02 CEST

Created attachment 8802 [details]
Screenshot

Yes, the reason is that the hostname is not the FQDN or IP of the service provider.

The "X-Frame-Options" header only allows SAMEORIGIN. The origin of "localhost" is then different to the FQDN of the service provider. This causes that the iframe for background-passive-authentication is not displayed. 
In chromium it works when unsetting X-Frame-Options explicit for /univention/saml/.

In firefox this doesn't work:
In the screenshot one can see that a request to https://localhost/saml/ is done. Then the single sign on at the IDP is done (SSOService.php) then there is a redirection to the FQDN(!) of the service provider. After the /auth/sso call one is redirected back to "localhost". This happens only in firefox somehow. But this cannot work because the Cookies are stored for the FQDN and not for "localhost".

Comment 7 Florian Best

2017-05-02 16:46:28 CEST

(In reply to Florian Best from comment #6)
> Created attachment 8802 [details]
> Screenshot
> 
> Yes, the reason is that the hostname is not the FQDN or IP of the service
> provider.
> 
> The "X-Frame-Options" header only allows SAMEORIGIN. The origin of
> "localhost" is then different to the FQDN of the service provider. This
> causes that the iframe for background-passive-authentication is not
> displayed. 
> In chromium it works when unsetting X-Frame-Options explicit for
> /univention/saml/.
The X-Frame-Options can be ignored because it only refuses the iframe to be displayed but the redirection inside of it still works.

> In firefox this doesn't work:
> In the screenshot one can see that a request to https://localhost/saml/ is
> done. Then the single sign on at the IDP is done (SSOService.php) then there
> is a redirection to the FQDN(!) of the service provider. After the /auth/sso
> call one is redirected back to "localhost". This happens only in firefox
> somehow. But this cannot work because the Cookies are stored for the FQDN
> and not for "localhost".
The handling of redirecting the user back to the location where she came from has been fixed so that the correct URL of the service provider is now used instead.

univention-management-console.yaml:
r79015 | YAML Bug #44217 Bug #44450 Bug #43859

univention-management-console (9.0.80-5):
r79013 | Bug #44450: Bug #44217: fix errors during SAML login

Comment 8 Richard Ulmer

2017-05-15 14:22:46 CEST

Seems to work great. -> Verified

Comment 9 Janek Walkenhorst

2017-06-15 17:58:07 CEST

<http://errata.software-univention.de/ucs/4.2/40.html>