Bug 1562403
| Summary: | Error upon successful SAML login when username contains capital letters | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Curtis Matthews <cmatthew> | ||||
| Component: | UI - OPS | Assignee: | Joe Vlcek <jvlcek> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Mike Shriver <mshriver> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 5.8.0 | CC: | cmatthew, cpelland, hkataria, jvlcek, lavenel, mpovolny, mpusater, myoder, obarenbo, simaishi | ||||
| Target Milestone: | GA | Keywords: | TestOnly, ZStream | ||||
| Target Release: | 5.10.0 | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | auth:externalauth:saml | ||||||
| Fixed In Version: | 5.10.0.0 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1578865 1578866 (view as bug list) | Environment: | |||||
| Last Closed: | 2018-07-30 14:43:55 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1578865, 1578866 | ||||||
| Attachments: |
|
||||||
Please assess the impact of this issue and update the severity accordingly. Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition. If it's something like a tracker bug where it doesn't matter, please set the severity to Low. Please assess the impact of this issue and update the severity accordingly. Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition. If it's something like a tracker bug where it doesn't matter, please set the severity to Low. I’m not sure where that error would be coming from. It appears to be after the authentication and authorization has completed successfully so I would expect it happened after that. We would need more information to debug. Please see this section of this blog post for a list of items that would help engineering debug this. http://manageiq.org/blog/2018/01/troubleshooting-auth/#reporting-authentication-issues Michael, Thank you for the provided information! My understanding is that at login if a mixed case userid is specified, e.g.: "Kurt Sherman", that an error dialog is presented. Once the error is dismissed user "kurt sherman" (all lowercase) is created and the appliance functions as expected. The provided logs have no indication of the error or the failing user "Kurt Sherman". I suspect the logs you have provided have been logroated since the error. What SAML server are they using? Is the userid in the SAML server mixed or is it all lowercase. keycloak will not allow mixed case userids. When creating a new user if mixed case is entered for he userid it is converted to all lowercase. I have tried but am unable to reproduce this with 5.8.3.5 and 5.9.2.0 by entering a mixed case userid on the login screen. 1. Please try updating to 8.3.5 or newer if possible. 2. Please report what the userid is as stored in the SAML server. 3. If the bogus error message persists please capture the logs immediately after the error dialog is observed. 4. Please confirm my understanding that the issue is a bogus error dialog, that once dismissed the appliance works as expected. New commit detected on ManageIQ/manageiq-api/master: https://github.com/ManageIQ/manageiq-api/commit/ada986658ec9e7abddf6f31fd69d4a8143aa36c4 commit ada986658ec9e7abddf6f31fd69d4a8143aa36c4 Author: Joe VLcek <jvlcek> AuthorDate: Mon Apr 30 14:30:29 2018 -0400 Commit: Joe VLcek <jvlcek> CommitDate: Mon Apr 30 14:30:29 2018 -0400 Downcase userid to match how it is stored in the DB. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1562403 If the authentication directory returns mixed case for the userid it needs to be downcased to match the way userids are stored in the DB. IBM Tivoli SAML can report usernames in mixed case. Most SAML servers do not. This PR will ensure mixed case usernames are downcased before comparing them to how they are stored in the DB. lib/services/api/user_token_service.rb | 1 + spec/lib/services/api/user_token_service_spec.rb | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) Closing this as its already been verified in two z-streams and has test coverage around it. |
Created attachment 1415144 [details] error image Description of problem: When a user with capital letters in their username logs in to CFME via SAML, the initial dashboard shows an error. Upon clicking to other areas of the UI, the error goes away and normal operations resume. Version-Release number of selected component (if applicable): 5.8.3.4 How reproducible: Every time Steps to Reproduce: 1. Configure SAML 2. User with capital letters in username logs in 3. Dashboard shows error Actual results: Error loading dashboard Expected results: No error Additional info: