Description of problem: User does not have a chance to uncheck 'Connect Automatically' checkbox when SSO into User Portal is used. Unfortunatelly I was not able to find a way to change the default to off. Version-Release number of selected component (if applicable): Connect Automatically checkbox How reproducible: 100 % Steps to Reproduce: 1. Configure SSO to User Portal 2. Log-in Actual results: Users with 1 VM are always getting new open console to the VM and do not have chance to disable 'Connect Automatically' checkbox. Expected results: Default value of 'Connect Automatically' checkbox can be configured at least per RHEV-M instance. Additional info: Further refinement to per-user setting would be a nice improvement but is not strictly necessary for my use case.
Einav - can you elaborate on this functionality?
(In reply to Oved Ourfali from comment #1) > Einav - can you elaborate on this functionality? this functionality is in the domain of responsibility of the 'virt' team so I recommend to confirm with them: 'Connect Automatically' is a check-box that existed in user-portal login page; when checked - the user would have been connected automatically to the console (spice) of his VM right after his (successful) login, assuming he has exactly 1 running VM in his user portal. the status of the check-box (checked/unchecked) is persisted in a cookie, so that when the user re-accesses the user portal, the user-portal login-page sets the check-box as checked/unchecked based on the cookie value (i.e. based on the check-box status from the previous user-portal access). AFAIK: upon successful user-portal login, the main-page of the user-portal reads the value of the cookie, and based on it - it either connects to the VM's console (again, only if there is exactly 1 running VM in the user portal), or does nothing. So now with the SSO login change: the user-portal login page + the check-box don't exist anymore, but the cookie + the user-portal-main-page logic associated with this cookie still exist. So now if a user would like to change the 'connect automatically' value - he cannot do that. Need to find an alternative location in the GUI for the 'Connect Automatically' setting (upper right menu in the user-portal main view? welcome page? new SSO login page if possible technically?). While we are at it: Not sure if already thought about / taken care of, but I expect that an alternative location for the MoTD and the "browser not optimal" warning would need to be found as well. I recommend consulting directly with Eldan about this, if necessary.
Michal / Scott - do we know if this functionality is even used widely before we find a solution for that? As for the browser not optimal, and message of the day, they should appear in the SSO login page.
I cannot speak about general usage pattern but for our use case the default behavior 'Connect automatically' is hugely annoying because we rarely access VM's console. The usual access method for us is SSH so displaying VM's console is just annoying if you simply want to revert snapshot or so.
pointing out that I am not sure whether this BZ was reported on an explicit SSO configuration (BZ was opened on April), or if this BZ is somehow already about https://gerrit.ovirt.org/#/c/36619/ (which is not even merged yet). Assuming the BZ was opened on an engine on which https://gerrit.ovirt.org/#/c/36619/ was NOT applied - there is a good chance that the behavior now is different then the one reported in the description (i.e. Connect Automatically is not being performed at all), as the ConnectAutomaticallyManager was completely removed in https://gerrit.ovirt.org/#/c/36619/. Worth checking with Ravi/virt team.
Einav, SSO concept is misleading. What Ravi is working on is SSO among all engine components. What by mistake PM referred in the past as SSO was password delegation into VM. The ability to transfer the password used to login into the engine into the guest. This is *NOT* SSO, but for some reason this was the term that was used. I suggest to start using the proper term "Password delegation" for this feature. This bug is about the password delegation, and yes, this feature owned by virt team.
But the reporter is referring to SSO to user portal. Perhaps by that he means that he is already logged in, rather than real SSO, which we still don't have. And the "connect automatically" is a check box that appears in the login page, and won't appear again if you are logged in. I must say I also don't follow the flow completely. Perhaps he is referring to kerberos configuration or something like that. Petr, can you elaborate?
Created attachment 1039876 [details] video from login sequence I mean the 'real SSO' into the User Portal, *not* logging-in into a VM. I'm attaching the screencast from SSO-logging into User Portal - you can see that I'm not able to click to the checkbox even if the login is 'slow enough' so I have time to click on it. Does it answer your question?
I get segmentation error while trying to view the video. Not sure I understand... Do you expect to enter a user manually while kerberos SSO is enabled?
Created attachment 1039884 [details] screenshot of checkbox Connect Automatically in User Portal LOL, maybe your media player deserves an upgrade :-) I'm attaching screenshot of the checkbox to make sure that we are talking about the same thing. I mean literally what I said the original description: User does not have a chance to uncheck 'Connect Automatically' checkbox when [[Kerberos] SSO into User Portal is used. As a result, 'Connect Automatically' feature is always enabled so the user has no choice how to get rid of unwanted Console. Affected RHEV version is 3.5.1-0.4.el6ev, I'm sorry for not specifying it in the bug description. Feel free to ping me on IRC - nick pspacek.
OK... Now I figured it out! Thats Petr! The portal login has a feature which I was not aware of, a checkbox that is by *DEFAULT* on, if there is only one VM, once login into user portal it instructs the portal to immediately delegate the user credentials into that VM. When we use negotiation we have no password, thus we need to disable this completely. Ravi, we know if we do not have a password during login (3.5) the session contains null password, if so we need to disable this auto login as if user de-select it.
Oved, please state if you want this for z-stream, it can be annoying indeed.
I'm okay with doing that on z-stream. However, I repeat my question in Comment #3 - do we really need/want this feature? It sounds a bit redundant to me.... Michal/Scott?
Oved, I will chime in on why this feature is here. This is for instances where we have thin clients, that when the user logs into the user portal, it automatically takes them to their desktop. This is usually in combination with some sort of pool setup where the user is assigned to the pool. I am pretty sure all our thin client users will start screaming if we take this ability away.
I don't know how widely it is used, but it is there since forever and we can't just remove it without making sure. I agree it's annoying and we should find a better place. Possibly make it configurable (if it is actually used and we don't want to remove it) as a user profile setting (e.g. virtio-console's ssh key is one, we just don't have UI and do not allow others to set it for anyone) Since we don't have full SSO with the guest it is still the only way how to seamlessly get into a VM without doing anything in the user portal
Hi Oved, Why isn't this 3.5.z? it is trivial to fix and annoying issue. Thanks!
ok in 3.6.0-12