Bug 53159 - Portal / UMC session handling with SAML is broken after first user login
Portal / UMC session handling with SAML is broken after first user login
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0
Assigned To: Jürn Brodersen
Florian Best
: interim-1
: 53157 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-04-26 15:09 CEST by Erik Damrose
Modified: 2021-05-25 16:01 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.257
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2021-04-26 15:09:26 CEST
The portal <-> umc session handling with SAML is broken after a user was logged in once and then logs in again.

To reproduce (easiest with incognito browser session): Login into portal with SAML enabled. UMC portal entries are visible and can be used. Now close current browser session to cleanup local session and cookies. Open new browser, login again with the same user. 

When returning to the portal, it is in some kind of intermediate state: The 'login' portal entry is gone, the side menu shows the current username as logged in. But no other entries show up, e.g. i am logged in as Adminstrator but do not see any UMC modules in the portal.

Logs for the second login show:

/var/log/univention/portal.log
  1337 user         21-04-26 15:03:29 [   DEBUG]: searching user for cookies={'UMCSessionId': 'fd8eb0f4-6886-4e90-8e20-ba44e4d28c65', 'UMCUsername': 'Administrator'}
  1337 user         21-04-26 15:03:29 [   DEBUG]: found Administrator

/var/log/univention/management-console-server.log <==
26.04.21 15:03:31.968  AUTH        ( ERROR   ) : PAM: authentication error: ('Fehler bei Authentifizierung', 7)
26.04.21 15:03:31.968  AUTH        ( ERROR   ) : Authentisierung ist fehlgeschlagen. Bitte melden Sie sich erneut an.
Comment 1 Erik Damrose univentionstaff 2021-04-26 15:13:31 CEST
Fix: umc-server has to be restarted and the user must login again.
Comment 2 Jürn Brodersen univentionstaff 2021-04-29 11:22:31 CEST
I think this is the same bug as bug 51932. It needs a bit more steps to trigger now.

The tests do not open a module which is now needed to trigger this bug.
Comment 3 Jürn Brodersen univentionstaff 2021-04-30 10:31:27 CEST
Only one saml login per process was working with crudesaml. Any subsequent logins were denied.
This happend due to "lasso_shutdown" and "lasso_init" being called multiple times in one process. According to lasso upstream "lasso_shutdown" should only be called then the lasso lib is not needed ever again in that process. It is also optional to call at all. See also bug 51932.

82_saml/04_saml_login.py has been updated to test this.

[5.0-0 c27e202486] Bug #53159: 82_saml/Improve 04_saml_login
[5.0-0 dc00685583] Bug #53159: fix saml login
Comment 4 Jürn Brodersen univentionstaff 2021-05-03 11:20:09 CEST
Reopen: Test failures on non primary
Comment 5 Jürn Brodersen univentionstaff 2021-05-04 10:45:13 CEST
[5.0-0 9fe8bf6e36] Bug #53159: split tests

udm isn't installed on replications nodes
Comment 6 Jürn Brodersen univentionstaff 2021-05-04 15:03:16 CEST
[5.0-0 fac21a6dd2] Bug #53159: Cleanup "packages" tag
Comment 7 Florian Best univentionstaff 2021-05-05 15:38:05 CEST
OK: excellent, SAML working again
OK: test cases fixed
~OK: no changelog entry necessary, interim bug

TODO: send patch upstream
Comment 8 Jürn Brodersen univentionstaff 2021-05-06 18:36:07 CEST
*** Bug 53157 has been marked as a duplicate of this bug. ***
Comment 9 Florian Best univentionstaff 2021-05-25 16:01:40 CEST
UCS 5.0 has been released:
 https://docs.software-univention.de/release-notes-5.0-0-en.html
 https://docs.software-univention.de/release-notes-5.0-0-de.html

If this error occurs again, please use "Clone This Bug".