SAML 2.0 SP SSO Plugin – New issue & Feature request

  • Toivo
    # 7 years ago

    Background

    The website had previously a login page which had an SSO login button for staff and a link to a page where external users were able to type in their credentials.  There are less than 10 active users from authorised partner companies.  However, this arrangement with two login processes stopped direct links to the site from working because the login page was always presented first.

    Today I activated the option ‘Enable auto redirect to IDP if user not logged in’ in the settings of the SSO Plugin.   Now a staff user is able to click a link from a mailout, pointing to a particular page, and get signed in automatically through IDP and redirected to that page.  However, I identified an issue with Two Factor Authentication and my client would also like to continue supporting two login processes.

    New Issue – ‘Authenticated’ Loop

    I was connected directly to the internet, not through VPN.  I pointed my browser to https://www.abc.com and the IDP login form was presented by Ping Identity.  I typed in my SESA code and password and received a prompt from Ping Identity on my phone, where I had installed the Ping Identity app and tested Two Factor Authentication (2FA).  I scanned my fingerprint, it was recognised by IDP but the browser went into a loop, presenting the same page with the text ‘Authenticated’ over and over again.  I closed the browser and browsed to http://www.abc.com/login, clicked the button ‘Logout’ and was then logged in automatically.

    Is there something in the dialogue between the SSO Plugin and the IDP that needs to be configured to support 2FA?   The Ping Identity IDP for our company is managed by the IT organisation of our company.

    Feature Request – External Login

    Even though the site has only a handful of external users, they are important to the owners of this website.  Would it be possible to support two login processes in the SSO Plugin, internal with SSO and external with local authentication, if external users browse to a particular login page?  Maybe the external login page can be excluded from being auto redirected  to IDP so that local authentication can take place.

    I understand that supporting two login processes is not standard and would require customisation of the SSO Plugin  If possible, I would be happy to present your cost estimate to my client for approval.

    Best Regards,

    Toivo

    Toivo
    # 7 years ago

    Hi Anirban,

    Thanks. The new configuration setting seems to cause a regular issue with the loop in the authentication by Ping Identity.

    Also when I use Internet Explorer 11 and try to browse to a particular page at the website, like https://www.abc.com/offers/ecostruxure-offers, IE11 shows the message This page can’t be displayed and if I activate F12 and look at the Console, there are strange errors:

    The link in the last message is redirected to the article Back navigation caching at https://msdn.microsoft.com/library/dn265017(v=vs.85).aspx

    This behaviour causes a major UX issue, which hopefully will be resolved quickly. If you need any SAML logs or assistance from  IT, please let me know urgently.

    Best Regards,
    Toivo

    Kalpesh
    # 7 years ago

    Hi Toivo,

    Can you send us test credential so that I can reproduce the authentication loop issue. If not possible can you send me SAML tracer logs.

    We can add new feature you want by customising SSO page.

    Thanks,
    Kalpesh

    Toivo
    # 7 years ago

    Hi Kalpesh,

    Unfortunately, it is not going to be possible to reproduce the error on your workstation because IT has not given me any extra SESA codes for testing.

    If you need to see the issue on my workstation, that can be done easily.
    I had to turn off the option ‘Enable auto redirect to IDP if user not logged in’ at the main site because the loop issue was affecting users. I recorded the SAML tracer logs at the POC site, https://abc.com. The results are somewhat confusing:
    -Firefox does not have this issue but I attached the SAML Tracer logs as comparison
    -IE11 does not seem to have this issue
    -Chrome goes into a loop, as described earlier, if I am not connected to VPN and the Ping presents the login form and handles the authentication through 2FA (using the option FormPingID, not KerbForm). Test results are included in the attached file.

    Then I ran the following test using IE11: The home page of the IE11 browser is an internal page, https://abc.com, as you can see from the SAML Tracer log files. When I am not connected to VPN, it prompts me to login to Ping Identity. I type in my SESA code and password, get authenticated through 2FA and the Ping app in my phone and I can then access the Spiceportal site. When I go the POC IoT site, a similar login prompt is presented by the IDP:

    https://ping-sso-abc.com/idp/SSO.saml2?SAMLRequest=lZJNb9swDIbv%2BxWC7v6Q89FGiBNkDYoF6NagdnvoZZBlOhFgS54oZdu%2Fr2IvQ3dIgQk6CCRFPi%2FJ5fpX15ITWFRG55TFKSWgpamVPuT0ubyPbul6tUTRtT3feHfUT%2FDDAzoS%2FmnkgyOn3mpuBCrkWnSA3ElebL4%2B8CxOeW%2BNM9K0lOy2Of0%2Bg8lN1SygmWSCTavb6ayeVg1k1SydpCmb1otJvUhhvggkLxeu7My1Q%2FSw0%2BiEdsGUspuIsSidl2zOZyzcV0r2f4p9VnqU8BFZNQYh%2F1KW%2B2j%2FWJSUbBDBulD0zmj0HdgC7ElJeH56yOnRuR55kvRGxsq4%2BCRF13uMUR41qBpsBC1IZ5WMpemSdWfs2K1cSKRkG15KCzdI%2BpsrEESIJvLCXUuk6j4pisf43O2MjuPgQzvsuzl8LFZchNHVf8roW39QGhMRxg%2FaKTkoSDqllbFCH%2BBcPFkm76guG%2FMtYOy2e9Mq%2BZts2tb8vLMgHOTUWQ%2BU3BvbCXcdnMVssKg&RelayState=https://abc.com/&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsigmore%23rsasha256&Signature=O0OI1ShlF71dfgo1wly%2BVgKkZJHmCsWhnvk%2B%2BNKxZGzXkygP%2BXRnyYnJIqTZklrfjUdOlveoGJRjdxVPTRNsqUGOlff8Tb3nsQWNiafZkSEWBeGjDaj%2FBFy76kT7NrNxAyzAsYi6YftRgooxmsowXmmOgqY6YUufevlemF%2FbVURaJExUEbFiRg3uJ3wZRAf7OWntmH%2F8%2FcHe8r3T3%2BJNqq6AkCzu15%2FfVHhg7aVsDAgyP5hn44RmRyBsXxRr9lfkxsEveGM3Px9MFROuxIp7%2BeePF%2Bm4cihzK98mDHS%2B6dUl%2FX7x0jQHhvTR5ipfCraCACI4yeIrCfo%2FVLOtTYAKmw%3D%3D

    The form is submitted, the page with a green box and the word Authenticated flashes in the browser and I am logged in all right. Therefore, this test did not detect any problem in IE11. A web developer in the Boston office ran some tests when he was outside the office and not connected to VPN. He cleared the cookies and cache and also tried the incognito mode. He confirmed the issue in Chrome, but Safari was working all right.

    About the live site http://www.iot: when the option ‘Enable auto redirect to IDP if user not logged in’ is turned off and I click the SSO button, the 2FA through Ping Identity works normally also in Chrome.

    The log file from the Chrome test was exported from SAML Chrome Panel and you can see the loop in the attached screenshot.

    Customisation
    Would it also be possible to get a rough estimate of the cost of the customised version where the login page for external, non-SESA users is supported “ or excluded from the automatic redirection to IDP?

    Best Regards,

    Toivo

    Kalpesh
    # 7 years ago

    Toivo,

    Everything looks good from saml logs. Can you check if you see any error in error logs.

    Thanks,
    Kalpesh

    Toivo
    # 7 years ago

    Hi Kalpesh,

    How can the SAML logs look good if the SSO plugin gets into loop? The behaviour is shown clearly in the Chrome tracer log that I sent you earlier.

    Similar entries can be seen in the PHP error logs from the live site between Nov 3 and Nov 6. The PHP error files from the live site are inside www-iot-logs.zip and they show how the size of the daily PHP error log increased after Nov 3 when I set the plugin option and decreased after I turned the option off on Nov 6.

    Would it be possible for you to send a version of the SAML SSO plugin which logs and captures the conditions in which the loop occurs? My client needs the relay of the return URL to work and a large proportion of staff use Chrome.

    Best Regards,
    Toivo

    Kalpesh
    # 7 years ago

    Hi Toivo,

    Yes. I will send you updated plugin which has logs for auto redirect cases so that we can find the issue.

    Thanks,
    Kalpesh

    Toivo
    # 7 years ago

    Hi Kalpesh,

    Thanks, it will be good to get the logging started. It does not matter if the plugin writes more data to the log than normally because the server in Azure is fast.

    Best Regards,
    Toivo

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.