Defect #1374
closed
SuperAdmin cannot "re-log in" after session expired when SSO is enabled
0%
Description
Affected version: 9.2.2, browser IE 11 (didn't try any other)
How to reproduce:- SSO enabled.
- log in as superAdmin
- wait for session expiration (e.g. go home and return on the next day), don't turn off computer, don't close browser
- open IDM
- Errors apear everywhere cannot even logout
This is probably caused by the feature of SSO disabling from those with superAdmin roles (acording to log). The problem is that even if the admin closes and re-opens the browser, errors apear and user cannot logout. F5 or CTRL+F5 doesn't help.
Expected behavior: show login dialog.
Temporary workaround: use CzechIdM in private window (not very nice but works).
Files
Updated by Radek Tomiška over 5 years ago
- Assignee changed from Vít Švanda to Alena Peterová
Updated by Radek Tomiška over 5 years ago
Alča, could you please look at it? I don't know, if it is connected to checking for superAdmin role even in logout phase or it is connected with some of my change with persistent tokens.
Updated by Alena Peterová over 5 years ago
- Status changed from New to In Progress
More info: the admin is logged into his computer with the same login as he uses for IdM.
I tried to simulate this in Firefox with modifying headers, no success yet.
Updated by Alena Peterová over 5 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Alena Peterová to Vladimír Kotýnek
I couldn't reproduce the issue entirely, but there is definitely something broken in the combination "Kerberos SSO by Negotiate in Apache" + "Internet Explorer 11 in AD domain". The problem (at least for me) isn't in the IdM backend, because the behavior is the same even if the SSO filter is disabled.
If Kerberos Negotiation is enabled in Apache ("KrbMethodNegotiate On" in virtualhosts.conf), then I get Network request failed message after session timeout. I'm not logged out automatically. But when I click on the logout button, then I get to login page. See "IE_session_timeout_with_icons.png". Sometimes I don't see the logout icon ("IE_session_timeout_without_icons.png"), but it can still be clicked. I don't know why the icons sometimes aren't displayed, I have fonts enabled in Internet Options for trusted sites (https://wiki.czechidm.com/_media/devel/documentation/fontdisable02.png).
The message "Network request failed" is displayed also during login, if I use wrong password - see IE_login_with_negotiate.png.
The response from the backend is 401 for both cases. But in Developer tools of IE the request is Aborted - without response code.
If Kerbers Negotiation is disabled in Apache (just by "KrbMethodNegotiate Off"), then the response after timeout is correct. I'm redirected to the login modal dialog with "Session timeout" - see IE_session_timeout_without_negotiate.png.
Also during login with wrong password I can see correct error message - see IE_login_without_negotiate.png. The response 401 gets correctly to the frontend.
I didn't test Negotiate for Firefox, because I don't have it in our testing domain server, so I can't test Negotiate method in Firefox.
The inability to logout (= if I logout, I'm logged in immediately) can be reproduced, if your user has the same password in AD domain and in IdM, and Apache Kerberos enables Basic Auth ("KrbMethodK5Passwd On") and disables Negotiate ("KrbMethodNegotiate Off"). Then he is continually logged in by our BasicIdmAuthenticationFilter. However, I don't see any error messages as Vláďa described.
TLDR¶
The problems is either in frontend, or in Apache Kerberos configuration, or in Internet Explorer options.
To narrow it down, please switch off our Basic Auth filter:
idm.sec.core.authentication-filter.eu-bcvsolutions-idm-core-security-auth-filter-basicidmauthenticationfilter.enabled=false
Also check, if you can click on the Logout button in the right upper corner when you get the error you describe.
Updated by Alena Peterová over 5 years ago
- File IE_login_with_negotiate.png IE_login_with_negotiate.png added
- File IE_login_without_negotiate.png IE_login_without_negotiate.png added
- File IE_session_timeout_with_icons.png IE_session_timeout_with_icons.png added
- File IE_session_timeout_without_icons.png IE_session_timeout_without_icons.png added
- File IE_session_timeout_without_negotiate.png IE_session_timeout_without_negotiate.png added
Updated by Alena Peterová over 5 years ago
When testing, you can shorten the session timeout by the application property "idm.sec.security.jwt.expirationTimeout" = session timeout in milliseconds. No restart needed. But don't put there anything lower than e.g. 20 000, otherwise you will have problems to return it back due to early timeout :-)
Updated by Vladimír Kotýnek over 5 years ago
Thank you very much for your investigation of this issue!
Is there any negative impact of turning off Basic Auth filter?
Updated by Alena Peterová over 5 years ago
I think not. Only if you want to use some scripting - calling REST API from shell script - Basic Auth filter enables you to easily put your credentials in the request. Without it, you must use some IdM token.
When I think about it, if we use SSO filter, the Basic Auth filter should be switched off always for security reasons. Because if we have superAdmin with the same password in AD domain as well as locally in IdM, then SSO filter doesn't authenticate him to IdM, but Basic Auth does. So the Basic Auth filter effectively enables Single sign on for admins, who use one password for all applications...
Updated by Radek Tomiška almost 5 years ago
How it look like with this ticket? If the solution was tested on your environment, please close this obsolete ticket.
Updated by Radek Tomiška over 4 years ago
- Status changed from Needs feedback to Closed
I'm closing this obsolete ticket.