Bug 54813 – Regression, self-service no longer works on single sign on page

Bug 54813 - Regression, self-service no longer works on single sign on page


Summary:	Regression, self-service no longer works on single sign on page

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Self Service
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-06-02 10:24 CEST by Horace
Modified:	2023-08-26 23:18 CEST (History)
CC List:	4 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.046
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Horace 2022-06-02 10:24:39 CEST

You are no longer able to access self-service from the ucs-sso subdomain. Any attempts results in the portal being temporarily unavailable. And I'm not quite sure when this began not to work when I happened to test it a couple of days ago.

How to reproduce:

1. Install UCS 5.0
2. Update packages and UCS to the latest errata.
3. Set UCS auth to SAML
4. Logout
5. Click on forget password.

Results:

Sorry,
Portal is temporarily unavailable.

Expected:

See forget password form.

Workaround:

Added ProxyPassMatch /univention/selfservice/(.*) http://127.0.0.1:8095/$0 retry=0 to the virtualhost 443 section in /etc/apache2/sites-available/univention-saml.conf.

Comment 1 Florian Best

2022-06-03 19:54:17 CEST

Hello, thank you for your feedback.
Unfortionately, it was never intended that the self-service works on ucs-sso.$domainname - this worked only accidentally as we need parts of the /univention/ scope also for the SAML login page.

Comment 2 stuckenbroeker 2023-06-01 12:05:58 CEST

Noted same behaviour on upgrade from 4.4-9 to 5.0-3, seems to be due to change of self service URL. Fix should IMHO be done in template for /etc/apache2/sso-vhost.conf.d/01redirect.conf line 9, add |selfservice in rewrite condition to get 4.4 compatible behavior or use UCR variables to overwrite URL for absolute URL to your portal FQDN (see https://forge.univention.org/bugzilla/show_bug.cgi?id=55098)

Comment 3 Mirac Erdemiroglu

2023-06-03 16:53:12 CEST

Customer affected Ticket#2023060121000093
UCS 5.0-3

The password forgotten link will be created wrong, if you are using SSO and update your system from UCS 4.4-9 to latest UCS 5.0-x

Possible Workaround for that:

Edit the template, it looks like there is missing |selfservice|

/etc/univention/templates/files/etc/apache2/sso-vhost.conf.d/01redirect.conf

https://github.com/univention/univention-corporate-server/blob/bacd92df3230f576f11cbb7606ed6ff8cd861198/management/univention-management-console/conffiles/etc/apache2/sso-vhost.conf.d/01redirect.conf#L9


RewriteCond %%{REQUEST_URI} ^/univention/(login|management|self-service|portal|server-overview)/$

Comment 4 Horace 2023-08-26 23:18:19 CEST

This just hit me again today and I have forgotten about this bug report. I am very confused about the outcome of this ticket. What _is_ the proper fix here? And if https://forge.univention.org/bugzilla/show_bug.cgi?id=54813#c3 is the fix, why hasn't it been implemented? This is a fresh install of UCS 5.0 with self-service installed. With UCR passwordreset enabled. You have 'Forgot your password?' pointing to'https://ucs-sso.idp.domain.net/univention/selfservice/#/selfservice/passwordforgotten'.  How is it supposed to work out of the box? It seems to me the accident isn't completely fixed.