Bug 53157 - Portal / UMC session renewal does not work when logged in via SAML
Portal / UMC session renewal does not work when logged in via SAML
Status: CLOSED DUPLICATE of bug 53159
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0
Assigned To: Jürn Brodersen
Florian Best
: interim-2
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-26 12:48 CEST by Erik Damrose
Modified: 2021-05-25 16:01 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2021-04-26 12:48:20 CEST
Once the portal / UMC sessions expires, the portal / UMC tries to renew the session. This does not seem to work, one cannot open UMC modules via portal anymore.

I see these http calls when the session is expired and one clicks on a UMC module:

univention/get/session-info http 401 Unauthorized ->
univention/saml/iframe/ http 302 redirect ->
ucs-sso simplesamlphp/saml2/idp/SSOService.php http 200  ->
univention/saml/ http 200 ->
univention/get/session-info http 200

But calls to univention/get/modules and univention/get/categories after that still return http 401
Comment 1 Ingo Steuwer univentionstaff 2021-04-26 12:52:09 CEST
Dirk, what do you think?
Comment 2 Erik Damrose univentionstaff 2021-04-26 13:07:19 CEST
I can see that UMCSessionId gets renewed (with a expire time in the future) in the browser cookiestore, but the UMC module tab does not display any content.
Comment 3 Erik Damrose univentionstaff 2021-04-26 13:18:06 CEST
In this state, a reload of the portal page practically breaks the portal usability / user experience even further:

One appears to be not logged in. After clicking on 'login' in the side menu, the existing SAML session is recognized and no credentials have to be provided. But when returning to the portal, it is in some kind of intermediate state: The 'login' portal entry is gone, the side menu shows the current username as logged in. But no other entries show up, e.g. i am logged in as Adminstrator but do not see any UMC modules in the portal.
Comment 4 Erik Damrose univentionstaff 2021-04-26 15:10:05 CEST
comment 3 is more generic and has nothing to do with the session timeout. I opened bug 53159.
Comment 5 Jürn Brodersen univentionstaff 2021-04-30 10:35:44 CEST
This might be a duplicate of bug 51888 ?
Comment 6 Jürn Brodersen univentionstaff 2021-04-30 10:36:53 CEST
(In reply to Jürn Brodersen from comment #5)
> This might be a duplicate of bug 51888 ?

Wrong bug number :( it should be 52888
Comment 7 Jürn Brodersen univentionstaff 2021-05-06 18:36:07 CEST
This is a duplicate of bug 53159.

It happened after the umc session, but not the umc-web-server session, timed out. The umc server could not authorize the new session because it had already done one saml authorization and was hit by bug 53159.

Note:
Decrease "umc/module/timeout" to get a quicker umc-server session timeout.

*** This bug has been marked as a duplicate of bug 53159 ***
Comment 8 Florian Best univentionstaff 2021-05-07 14:09:04 CEST
OK: duplicate
Comment 9 Florian Best univentionstaff 2021-05-25 16:01:16 CEST
UCS 5.0 has been released:
 https://docs.software-univention.de/release-notes-5.0-0-en.html
 https://docs.software-univention.de/release-notes-5.0-0-de.html

If this error occurs again, please use "Clone This Bug".