Description of problem: Auth External Auth SAML - User with custom group with special characters can't log in. - User with SR-APP-EPM-Membre-équipe Group get's "Authentication failed for userid test-user3, unable to match user's group membership to an EVM role" error message. Version-Release number of selected component (if applicable): 5.8.1.0 (probably 5.7.3.0 as well) How reproducible: Steps to Reproduce: 1. Configure appliance to use SAML 2. Create user who has a custom group like "SR-APP-EPM-Membre-équipe" 3. Add custom group to cfme and assign role. 4. log in with user. Actual results: Login fails with unable to match user's group membershipt to a EVM role Expected results: User should be able to log in. Additional info:
Created attachment 1296266 [details] audit log
Created attachment 1296267 [details] evm log
Matt, Is this still happening? If so it is restricted to only SAML or all External Auth? Thanks, JoeV
SAML only I believe. still an issue on 5.9.0.15
Still an issue on 5.8.3.2. I did notice if the user has multiple groups, the user can log in with a valid group (ex: built in cfme group), but can't switch to group with special chars in it.
Just an FYI: The fix will be to unescape the group name from the headers. Something like this: > git diff app/models/authenticator/httpd.rb - [user_attrs, (request.headers['X-REMOTE-USER-GROUPS'] || '').split(/[;:,]/)] + [user_attrs, (CGI.unescape(request.headers['X-REMOTE-USER-GROUPS']) || '').split(/[;:,]/)] PR to come soon. JoeV
https://github.com/ManageIQ/manageiq/pull/16998
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/5963f382efc1be2197298e774ce3ae30af5381ee commit 5963f382efc1be2197298e774ce3ae30af5381ee Author: Joe VLcek <jvlcek> AuthorDate: Tue Feb 13 16:21:29 2018 -0500 Commit: Joe VLcek <jvlcek> CommitDate: Tue Feb 13 16:21:29 2018 -0500 Handle group names with encoded special characters Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1469589 Group names in the headers at index X-REMOTE-USER-GROUPS need to be decoded in order to handle special characters. app/models/authenticator/httpd.rb | 2 +- spec/models/authenticator/httpd_spec.rb | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-)
*** Bug 1540732 has been marked as a duplicate of this bug. ***
Verified with 5.10.5.1 and 5.11.0.7.