Bug 52888 – saml message is not updated in umc-server process

Bug 52888 - saml message is not updated in umc-server process


Summary:	saml message is not updated in umc-server process

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	SAML
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-0-errata
Assigned To:	Florian Best
QA Contact:	Jürn Brodersen

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:	54229
	Show dependency tree / graph

Reported:	2021-03-10 14:06 CET by Jürn Brodersen
Modified:	2021-12-09 12:52 CET (History)
CC List:	7 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	4: Will affect most installed domains
How will those affected feel about the bug?:	3: A User would likely not purchase the product
User Pain:	0.343
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2021021621000496, 2021012121000979, 2021040821000346, 2021092821000442
Bug group (optional):	Regression
Max CVSS v3 score:

Attachments
Proposed patch (2.16 KB, patch) 2021-04-30 10:26 CEST, Jürn Brodersen	Details \| Diff
patch (git:fbest/52888-reauthenticate-on-new-saml-message) (1.88 KB, patch) 2021-10-05 09:48 CEST, Florian Best	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jürn Brodersen

2021-03-10 14:06:11 CET

saml message is not updated in umc-server process

After the assertion timeout "NotOnOrAfter" from the first ticket of a session is expired no further ldap login is possible. The frontend does request a new ticket which it gets and which is send to the umc-web-server, but any new ldap connections do still seem to try to use the old expired ticket.

For a user this looks like an endless login loop.

The test "82_saml/07_umc_session_timeout" which should have tested this, is broken.

How to reproduce:
Use the updated test "82_saml/07_umc_session_timeout" on my git branch: "juern/test_broken_saml_message_update"

Or reproduce manually:
Open the users module with saml
Wait for more than 15 minutes (umc/saml/assertion-lifetime + umc/saml/grace_time, I reduced both values)
Restart slapd to close any open connections
Try to use the module again

Workaround:
Increase umc/saml/grace_time (as high as saml/idp/session-duration should work) and restart the ldap server

Comment 1 Florian Best

2021-03-10 14:08:17 CET

This is already broken in UCS 4.4?

Comment 2 Jürn Brodersen

2021-03-10 14:36:12 CET

(In reply to Florian Best from comment #1)
> This is already broken in UCS 4.4?

Yes :(

Comment 3 linux@osit.cc 2021-03-11 01:07:10 CET

Thanks, for the workaround. This do the job :)

Comment 4 Christina Scheinig

2021-04-09 14:56:15 CEST

This still causes tickets in support

Comment 5 Jürn Brodersen

2021-04-30 10:26:07 CEST

Created attachment 10711 [details]
Proposed patch

Looks like since bug 52297, supplying a new ticket does not force a re-authentication any more.

I attached a patch that resets the umc client authentication state to force a re-authentication again.

The test that should have tested this did not work correctly (07_umc_session_timeout).
I updated the test and set it to be skipped:
[5.0-0 89f71ec4d6] Bug #52888: fix 07_umc_session_timeout
[5.0-0 3a07c948cf] Bug #52888: Set to skip until bug is fixed

Comment 6 Florian Best

2021-10-05 09:48:43 CEST

Created attachment 10839 [details]
patch (git:fbest/52888-reauthenticate-on-new-saml-message)

Comment 8 Florian Best

2021-11-23 12:08:51 CET

Fixed in:

univention-management-console.yaml
61f729848e47 | Bug #52888: force re-authentication at UMC-Server when a new SAML message is available

univention-management-console (12.0.12-19)
61f729848e47 | Bug #52888: force re-authentication at UMC-Server when a new SAML message is available

ucs-test (10.0.6-73)
61f729848e47 | Bug #52888: force re-authentication at UMC-Server when a new SAML message is available

ucs-test (10.0.5-11)
3a07c948cf0c | Bug #52888: Set to skip until bug is fixed
89f71ec4d655 | Bug #52888: fix 07_umc_session_timeout

Comment 9 Jürn Brodersen

2021-11-23 12:49:12 CET

What I tested:
changes -> OK
saml login -> OK
saml tests -> OK
yaml -> OK 

[5.0-0 87bc5e8e0c] Bug #52888: yaml version

Waiting for a jenkins run, but I don't expect any problems.

Comment 10 Jürn Brodersen

2021-11-25 11:47:31 CET

and jenkins looks good as well -> verified

Comment 11 Philipp Hahn

2021-12-01 16:29:15 CET

<https://errata.software-univention.de/#/?erratum=5.0x162>