Univention Bugzilla – Bug 54813
Regression, self-service no longer works on single sign on page
Last modified: 2023-08-26 23:18:19 CEST
You are no longer able to access self-service from the ucs-sso subdomain. Any attempts results in the portal being temporarily unavailable. And I'm not quite sure when this began not to work when I happened to test it a couple of days ago. How to reproduce: 1. Install UCS 5.0 2. Update packages and UCS to the latest errata. 3. Set UCS auth to SAML 4. Logout 5. Click on forget password. Results: Sorry, Portal is temporarily unavailable. Expected: See forget password form. Workaround: Added ProxyPassMatch /univention/selfservice/(.*) http://127.0.0.1:8095/$0 retry=0 to the virtualhost 443 section in /etc/apache2/sites-available/univention-saml.conf.
Hello, thank you for your feedback. Unfortionately, it was never intended that the self-service works on ucs-sso.$domainname - this worked only accidentally as we need parts of the /univention/ scope also for the SAML login page.
Noted same behaviour on upgrade from 4.4-9 to 5.0-3, seems to be due to change of self service URL. Fix should IMHO be done in template for /etc/apache2/sso-vhost.conf.d/01redirect.conf line 9, add |selfservice in rewrite condition to get 4.4 compatible behavior or use UCR variables to overwrite URL for absolute URL to your portal FQDN (see https://forge.univention.org/bugzilla/show_bug.cgi?id=55098)
Customer affected Ticket#2023060121000093 UCS 5.0-3 The password forgotten link will be created wrong, if you are using SSO and update your system from UCS 4.4-9 to latest UCS 5.0-x Possible Workaround for that: Edit the template, it looks like there is missing |selfservice| /etc/univention/templates/files/etc/apache2/sso-vhost.conf.d/01redirect.conf https://github.com/univention/univention-corporate-server/blob/bacd92df3230f576f11cbb7606ed6ff8cd861198/management/univention-management-console/conffiles/etc/apache2/sso-vhost.conf.d/01redirect.conf#L9 RewriteCond %%{REQUEST_URI} ^/univention/(login|management|self-service|portal|server-overview)/$
This just hit me again today and I have forgotten about this bug report. I am very confused about the outcome of this ticket. What _is_ the proper fix here? And if https://forge.univention.org/bugzilla/show_bug.cgi?id=54813#c3 is the fix, why hasn't it been implemented? This is a fresh install of UCS 5.0 with self-service installed. With UCR passwordreset enabled. You have 'Forgot your password?' pointing to'https://ucs-sso.idp.domain.net/univention/selfservice/#/selfservice/passwordforgotten'. How is it supposed to work out of the box? It seems to me the accident isn't completely fixed.