Univention Bugzilla – Bug 52888
saml message is not updated in umc-server process
Last modified: 2021-12-09 12:52:10 CET
saml message is not updated in umc-server process After the assertion timeout "NotOnOrAfter" from the first ticket of a session is expired no further ldap login is possible. The frontend does request a new ticket which it gets and which is send to the umc-web-server, but any new ldap connections do still seem to try to use the old expired ticket. For a user this looks like an endless login loop. The test "82_saml/07_umc_session_timeout" which should have tested this, is broken. How to reproduce: Use the updated test "82_saml/07_umc_session_timeout" on my git branch: "juern/test_broken_saml_message_update" Or reproduce manually: Open the users module with saml Wait for more than 15 minutes (umc/saml/assertion-lifetime + umc/saml/grace_time, I reduced both values) Restart slapd to close any open connections Try to use the module again Workaround: Increase umc/saml/grace_time (as high as saml/idp/session-duration should work) and restart the ldap server
This is already broken in UCS 4.4?
(In reply to Florian Best from comment #1) > This is already broken in UCS 4.4? Yes :(
Thanks, for the workaround. This do the job :)
This still causes tickets in support
Created attachment 10711 [details] Proposed patch Looks like since bug 52297, supplying a new ticket does not force a re-authentication any more. I attached a patch that resets the umc client authentication state to force a re-authentication again. The test that should have tested this did not work correctly (07_umc_session_timeout). I updated the test and set it to be skipped: [5.0-0 89f71ec4d6] Bug #52888: fix 07_umc_session_timeout [5.0-0 3a07c948cf] Bug #52888: Set to skip until bug is fixed
Created attachment 10839 [details] patch (git:fbest/52888-reauthenticate-on-new-saml-message)
Fixed in: univention-management-console.yaml 61f729848e47 | Bug #52888: force re-authentication at UMC-Server when a new SAML message is available univention-management-console (12.0.12-19) 61f729848e47 | Bug #52888: force re-authentication at UMC-Server when a new SAML message is available ucs-test (10.0.6-73) 61f729848e47 | Bug #52888: force re-authentication at UMC-Server when a new SAML message is available ucs-test (10.0.5-11) 3a07c948cf0c | Bug #52888: Set to skip until bug is fixed 89f71ec4d655 | Bug #52888: fix 07_umc_session_timeout
What I tested: changes -> OK saml login -> OK saml tests -> OK yaml -> OK [5.0-0 87bc5e8e0c] Bug #52888: yaml version Waiting for a jenkins run, but I don't expect any problems.
and jenkins looks good as well -> verified
<https://errata.software-univention.de/#/?erratum=5.0x162>