First Last Prev Next    This bug is not in your last search results.
Bug 52297 - Delay UMC authentication after SAML login to first use of UMC modules
Delay UMC authentication after SAML login to first use of UMC modules
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-6-errata
Assigned To: Florian Best
Dirk Wiesenthal
https://git.knut.univention.de/univen...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-11-02 19:03 CET by Florian Best
Modified: 2020-11-25 12:07 CET (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Large environments, UCS Performance
Max CVSS v3 score:
best: Patch_Available+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2020-11-02 19:03:21 CET 
Currently after the SAML login succeeds one is redirected to /univention/auth/sso which makes a UMCP AUTH request with the SAML message to the UMC-Server.

This is not necessary to be done immediately as the SAML message itself already says the login was successful.
We need to do this nevertheless of course before sending any UMCP-call to the UMC-Server.

The UMC-Webserver detects the state of the connection already and pre-pends the UMCP AUTH request.

So we can simply remove the redirection to /univention/auth/sso and gain some performance and drop one unnecessary long request, which opens a whole UMC session. This is especially useful for Portal only users, which will never log in into UMC.
Comment 1 Florian Best univentionstaff 2020-11-02 19:05:02 CET 
You can already do the QA with git:dcd73a5d4f5630327681bd5d36f9593387d9c2f1.
Comment 2 Florian Best univentionstaff 2020-11-19 16:00:36 CET 
The SAML authentication is now (automatically) delayed to the first use of creating a connection to the UMC server.
Therefore portal users don't need to authenticate at the UMC-Server.

univention-management-console.yaml
0199de86341f | YAML Bug #52297

univention-management-console (11.0.5-22)
da7c3cc48362 | fixup! Bug #52297: explicitly add all possible configuration variables to SAML config
16d09074fc3f | Bug #52297: explicitly add all possible configuration variables to SAML config
7ceeae243a59 | Bug #52297: Delay unnecessary UMC authentication after Single Sign on
Comment 3 Dirk Wiesenthal univentionstaff 2020-11-24 17:04:13 CET 
YAML: OK
Delay: OK, no action in UMC after SAML login
Code: OK
First Last Prev Next    This bug is not in your last search results.