Bug 1474279 - SSO redirection issues
SSO redirection issues
Status: NEW
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance (Show other bugs)
All All
medium Severity medium
: GA
: cfme-future
Assigned To: Gregg Tanzillo
Matt Pusateri
Depends On:
Blocks: 1468726
  Show dependency treegraph
Reported: 2017-07-24 05:52 EDT by Felix Dewaleyne
Modified: 2018-05-21 02:09 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core

Attachments (Terms of Use)

  None (edit)
Description Felix Dewaleyne 2017-07-24 05:52:38 EDT
Description of problem:
When logging in as admin on a CF 4.5 configured with Red Hat SSO 7.1 on opening https://apliance.example.com it suddenly redirects the browser to the SSO login page, instead of waiting a selection between SSO or local authentication (as expected).
On logout, the browser is redirected to https://appliance.example.com/saml2 which raises a 404

Version-Release number of selected component (if applicable):

How reproducible:
all the time in customer environment

Steps to Reproduce (local login):
1. configure CF to use RH SSO 7.1
2. log in with local admin

Actual results:
redirected back to SSO on login

Expected results:
wait for a selectino between SSO or local authentication

Steps to reproduce (logout)
1 - log in as any user
2 - log out

Actual results:
redirected to a 404

Expected results:
redirected to /saml_login

Additional info:
The customer found changes that would help resolve this issue and implemented them to work around this issue but the fix for their issue is reverted when Cloudforms is restarted.
Comment 2 Felix Dewaleyne 2017-07-24 05:56:10 EDT
The auto-redirect seems caused by the following HTML code embedded into CF main login page

  $(function () {

referring to the previous HTML

<a id="saml_login" class="btn btn-primary form-control" alt="Login" title="Login to Corporate System" data-method="post" data-miq_sparkle_on="true" data-submit="login_div" data-remote="true" href="/dashboard/initiate_saml_login?button=saml_login">Login to Corporate System</a>

The main login page generated using /opt/rh/cfme-gemset/gems/manageiq-ui-classic-0.1.0/app/views/dashboard/login.html.haml which at the end contains:

- auto_login  = session[:auto_login]  # Set to false via dashboard/logout
- session[:auto_login] = true
- if ext_auth?(:sso_enabled)
  - if auto_login != false
    - if ext_auth?(:saml_enabled)
        $(function () {
    - else
        $(function () {
- elsif @user_name  # If user name is pre-populated by the server, press the Login button automatically
    $(function () {

So, to be able to login as admin, we can open https://appliance.example.com/dashboard/logout

To work around the second issue, use http://talk.manageiq.org/t/keycloak-2-5-1-saml-integration/2134/3

Note You need to log in before you can comment on or make changes to this bug.