Description Florian Best 2021-10-11 14:02:38 CEST

Created attachment 10841 [details]
Screenshot

We should simplify the currently very complex login mechanism.

The current complexity is:
The detection if SAML if possible is done in an invisible iframe which detects if ucs-sso.$domainname host resoution is possible via a HTTPS connection.

If yes, login redirects to SAML otherwise one gets redirected to the plain login.
This is intransparent for users, which could only differentiate these mechanism via the login URL.
This is also relative complex javascript code. The new Portal in UCS 5.0 doesn't support it - there we have a hardcoded configuration.

Instead we should:
Either: always redirect to our /univention/login/ page and display buttons for each possible SAML- or OpenID-Connect Identity Provider.
The detection if host+TLS resolution works could be done additionally in the background and add a red alert mark with tooltip at the button, which explains how to fix the situation.
This would move all login relevant code into one place and makes code very simple.
Attached is a demo screenshot, how it could look.


Or: we should change the "login" link in the Portal, UMC, etc. Menus into a drop down menu, containing all possible login variants (which is again more complex from code perspective).

With both ways, it would be easy to let the Administrator also decide which login mechanism are available.
If only one mechanism is enabled, we could automatically redirect there.