Bug 46576 - Several browsers: Fallback to saml/ldap only after browser password popup
Several browsers: Fallback to saml/ldap only after browser password popup
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3
Assigned To: Erik Damrose
Jürn Brodersen
: interim-4
Depends on:
Blocks: 46579 47242
  Show dependency treegraph
Reported: 2018-03-09 16:14 CET by Erik Damrose
Modified: 2018-06-25 13:35 CEST (History)
0 users

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.103
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

credentials popup (16.88 KB, image/png)
2018-03-09 16:14 CET, Erik Damrose

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2018-03-09 16:14:34 CET
Created attachment 9458 [details]
credentials popup

The negotiate module used in simplesamlphp supports a fallback mode if no kerberos ticket is presented by the browser.

When using Chrome (65.0.3325.146), a popup asking for credentials is shown instead. When clicking cancel, the fallback login page for single sign-can be accessed.

Workaround: deactivate saml/kerberos: ucr set saml/idp/authsource=univention-ldap
Comment 1 Erik Damrose univentionstaff 2018-03-09 16:19:11 CET
Also with internet explorer 11
Comment 2 Erik Damrose univentionstaff 2018-03-09 16:39:12 CET
Also a problem with MS Edge.

Only firefox works without an extra popup
Comment 3 Erik Damrose univentionstaff 2018-03-09 16:39:57 CET
Tested on windows computers joined into a samba4 domain
Comment 4 Erik Damrose univentionstaff 2018-03-09 17:35:28 CET
As discussed, we set the default to the old ldap auth method with

ucr set saml/idp/authsource?univention-ldap

I adapted the UCRv description

d0b9cfbd Change auth default module to univention-ldap
univention-saml 5.0.4-17A~
fca74bbc changelog
Comment 5 Jürn Brodersen univentionstaff 2018-03-09 18:21:31 CET
Changes OK
Changelog OK
Comment 6 Stefan Gohmann univentionstaff 2018-03-14 14:38:49 CET
UCS 4.3 has been released:

If this error occurs again, please use "Clone This Bug".