Description Valentin Heidelberger 2020-06-04 13:50:32 CEST

On the Univention portal in the upper right hand corner there is a login button. A click on this button should lead to the SAML login, if it's reachable from the user's browser, if not it should lead to the normal login.

This doesn't seem to work reliably depending on the hostname that's being used to access the system.

I have a system called "master.ucs.demo" which provides SSO at "ucs-sso.ucs.demo"
This system is also reachable as "portal.ucs.demo" and "ucs.demo"

When I click on "login" using the portal on master.ucs.demo I get correctly redirected to ucs-sso.ucs.demo; when i do the same on portal.ucs.demo or simply ucs.demo I get the normal login even though ucs-sso.ucs.demo is perfectly reachable.

I've dug a bit and found that the function "passiveSingleSignOn" in line 419 of /usr/share/univention-management-console-login/main.js catches an error while trying to parse the saml iframe which results in

deferred.cancel(error)

and the redirect to the normal login. The error is

TypeError: Cannot read property 'passive_single_sign_on_28urpi' of undefined
    at Function.t.doc (VM8 dojo.js:1617)
    at win.global.<computed> (VM13 main.js:430)
    at HTMLIFrameElement.onload ((index):1)


I don't know why that happens and don't see a reason why it shouldn't work from a feature perspective so far. If a customer decides to have their system reachable from multiple hostnames, that should work. A not so pretty "workaround" is to add a portal tile linking to /univention/saml/?location=/univention/portal/ - that works regardless of the hostname being used.