Univention Bugzilla – Bug 47693
Support SSO-SAML authenticated usage of the HTTP-API-Import
Last modified: 2023-05-11 09:02:12 CEST
If a user is logged in via SAML, it is necessary to enter the user's password again to authenticate against the HTTP-API *every time* the "User import" module is opened. Especially when configuring / testing the import, this is very annoying (after a failed dry-run, it is necessary to close and re-open the module, afair).
This still persists and is annoying af, especially since more and more school customers switch to SAML because of external services. Today a customer had to enter their password four times to complete a single import run and download the password file (I witnessed this via TeamViewer): 1. Login UMC 2. Enter password again after opening the userimport module 3. Enter password again for the real run (after the dry-run) 4. Enter password again when clicking on "RELOAD" on the "Overview User Imports" grid (job was shown as "pending", although finished)
(In reply to Michael Grandjean from comment #1) > Today a customer had to enter their password four times to complete a single > import run and download the password file (I witnessed this via TeamViewer): > 1. Login UMC > 2. Enter password again after opening the userimport module > 3. Enter password again for the real run (after the dry-run) > 4. Enter password again when clicking on "RELOAD" on the "Overview User > Imports" grid (job was shown as "pending", although finished) Despite the fact, that we should implement SAML, the behaviour looks broken. Afair the code should ask for the password in 2) and store it for 3) and 4) (at least if the same UMC process is used which has *not* been killed by the 10min timeout).
(In reply to Sönke Schwardt-Krummrich from comment #2) > Despite the fact, that we should implement SAML, the behaviour looks broken. > Afair the code should ask for the password in 2) and store it for 3) and 4) > (at least if the same UMC process is used which has *not* been killed by the > 10min timeout). I asked the UMC team, and they also think that the password should be saved after the first query. If that's not the case, it's really a bug. A fix for that would take some annoyance out of it, wouldn't it?
Created attachment 9724 [details] schoolimport logfile Yes, it definitely would. However, I had a look at the logs again. > (at least if the same UMC process is used which has *not* been killed by the 10min timeout). That might be the culprit. But on the other hand, reviewing some users after the dry-run (why are there duplicates, are those that should be deleted correct ...?) and waiting for the import to finish can take more than 10 minutes each.
Still true, experienced this today on a customer system and it's so annoying ...
An underlying UMC issue has been fixed with bug 50670, this may be an issue with this specific UMC module - may be worth re-investigating here
Customer pointed on that issue during another ticket. It happens on the first opening of the module. He has to enter the credentials for 3 to 6 times; he said it depends how fast he enters the credentials. If fast he needs to enter 6 times; if slow 3 times.
In some environments the UMC is now only accessible via SAML SSO, so the workaround to "not login with SSO" to avoid the descrobed behaviour is not available. This makes this bug even more annoying.
It looks like this bug is a duplicate to https://forge.univention.org/bugzilla/show_bug.cgi?id=50012 I attached the actual ticket to both bugs. You have to enter the password multiple times if you use saml login.
*** Bug 50012 has been marked as a duplicate of this bug. ***
Unfortunately this is still broken and threatens project success. I will attach a video of the current behaviour in a fresh UCS@school 4.4v9 installation.
*** Bug 47054 has been marked as a duplicate of this bug. ***