Univention Bugzilla – Bug 51492
Change the password via SAML login
Last modified: 2020-09-16 12:44:45 CEST
Created attachment 10388 [details] Screenshot 1 Currently it is not possible to change the password during the SAML login. For example, if the password has expired, a (configurable) link to the normal login is displayed (see attached screenshot). This is unfavorable from a usability point of view and especially in the context where the normal login should not be used at all (e.g. BSI-Grundschutz). From a usability point of view it would be best if it works directly like the normal login (see attached screenshot 2).
Created attachment 10389 [details] Screenshot 2
Current recommendation is to configure the link to point to the self service password change.
(In reply to Ingo Steuwer from comment #2) > Current recommendation is to configure the link to point to the self service > password change. Yes, unfortunately the self service doesn't know the username and the old/expired password which the user entered previously in the SAML login. So a user has to re-enter them _again_ in the self service. This works, but is more inconvenient than what users are used to.
(In reply to Michael Grandjean from comment #3) > > Yes, unfortunately the self service doesn't know the username and the > old/expired password which the user entered previously in the SAML login. So > a user has to re-enter them _again_ in the self service. This works, but is > more inconvenient than what users are used to. I absolutely agree. And therefore I think it's a (usability) bug.
So, what we basically can do here is: * adjust simplesamlphp authentication error handling, to display two password boxes to set a new password. The old password has to be set as a "hidden" <input>. * make a HTTP request with PHP to the UMC-Server to change the password there. * pass through the error/success messages from there and display them (e.g. the password is too short) * after changing the password re-display the login dialog * ignore the negotiate SAML auth module
Created attachment 10421 [details] patch (git:fbest/51492-saml-password-change) Attached is a patch which realizes password changing in the way described in comment #5. TODO: for the button labels (e.g. New Password) either simplesamlphp must be patched or a new translation file should be added. TODO: styling of error messages
The password can now be changed via the SAML login dialog. This is achieved by forwarding a password change request to the UMC-Server, which then changes the password via pam-krb5. When Samba4 is installed, pam-krb5 changes the password in Samba and the S4-Connector syncs the password back to OpenLDAP. This causes that the changed password cannot be used immediately after the password change (LDAP bind fails). So if that occurs the login dialog is shown again and one have to re-enter the new password. In case no Samba is installed, one is logged in immediately. univention-saml (6.0.2-52) df4f69e44869 | Bug #51492: fix "The class or interface 'SimpleSAML_Logger' is now using namespaces, please use 'SimpleSAML\Logger'." e22d0834caa9 | Bug #51492: fix styling of password expired messages ea081f0e71ae | Bug #51492: add change password dialog to SAML login ucs-test (9.0.4-48) f2ee7d362ffd | Bug #51492: add test case 82_saml/33_change_expired_password 3638f9af8e4f | Bug #51492: cleanup exception handling in SAML tests univention-saml.yaml e98653856337 | YAML Bug #51492
Some tests were failing because the error messages styling had been adjusted. Fixed in: ucs-test (9.0.4-49) 4063ff934dc5 | Bug #51492: adjust SAML tests to new error messages e84c2fe4bf2e | Bug #51492: adjust SAML tests to new error messages
You said that pam-krb5 is used, so i think it should work. Just to be sure: Changing the password in this way also works in an ad-member scenario, right?
Changing expired password works -> OK Tests are working -> OK Reopen: Login with wrong password continues to "change password" dialog (changing the password is not possible though). Is it possible to show a wrong password error like in the normal login? Error messages are shown at the top and not in red at the bottom like in the normal login. UMCerrors do not bubble up: Go to the new password dialog, stop the umc, now change the password -> no error is thrown, the page never stops loading
(In reply to Jürn Brodersen from comment #10) > UMCerrors do not bubble up: Go to the new password dialog, stop the umc, now > change the password -> no error is thrown, the page never stops loading Well, this is a javascript error and affects also other components if the UMC-Server is down. The error messages are just not shown then. TypeError: Cannot read property 'how_do_i_login/enabled' of undefined at Object._addLinkFromUcr (dialog.js:69) at Object._addDefaultLinks (dialog.js:124) at Object.renderLoginDialog (dialog.js:108) at Object.callback (saml-config.js:11) at config.js:149 … Fixed in: univention-management-console (11.0.4-103) 0b1d66fb4448 | Bug #51492: fix javascript + HTML errors
(In reply to Jürn Brodersen from comment #10) > Reopen: > Login with wrong password continues to "change password" dialog (changing > the password is not possible though). Is it possible to show a wrong > password error like in the normal login? This is not a regression by this bug. It was introduced in Bug #43384. I don't know a way to fix this.
(In reply to Jürn Brodersen from comment #10) > Error messages are shown at the top and not in red at the bottom like in the > normal login. Fixed in: univention-saml (6.0.2-53) 2d78c76559cc | Bug #51492: adjust styling of error messages
Test fails in jenkins on s4 backup/slave/member http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-5/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=slave/testReport/82_saml/33_change_expired_password/slave095/
(In reply to Felix Botner from comment #14) > Test fails in jenkins on s4 backup/slave/member > > http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-5/job/ > AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=slave/testReport/ > 82_saml/33_change_expired_password/slave095/ Should be fixed with: - time.sleep(5) + utils.wait_for_replication() + utils.wait_for_s4connector_replication() ucs-test (9.0.4-53) 17d0afc9327c | Bug #51492: fix waiting in S4 connector environments
nope, still fails
(In reply to Felix Botner from comment #16) > nope, still fails It seems wait_for_s4_connector_replication does nothing: 2020-09-04 05:58:20.534497] Post SAML change password form to ... … [2020-09-04 05:58:22.344569] Cleanup after exception: <class 'samltest.SamlPasswordExpired'> (2 seconds difference)... Let's test: time.sleep(20) ucs-test (9.0.4-56) 67c8c19be510 | Bug #51492: sleep 20 seconds
What I tested: Password change -> OK Password change (with samba) -> OK Password change, password to easy -> fails -> OK Password change, password to easy (with samba) -> fails -> OK jenkins: I added another sleep after the test user is created. That seems to have solved the replication problems. -> OK yaml -> OK -> Verified
<https://errata.software-univention.de/#/?erratum=4.4x748> <https://errata.software-univention.de/#/?erratum=4.4x749>