Bug 1562403 - Error upon successful SAML login when username contains capital letters
Summary: Error upon successful SAML login when username contains capital letters
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: UI - OPS
Version: 5.8.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: GA
: 5.10.0
Assignee: Joe Vlcek
QA Contact: Mike Shriver
URL:
Whiteboard: auth:externalauth:saml
Depends On:
Blocks: 1578865 1578866
TreeView+ depends on / blocked
 
Reported: 2018-03-30 15:00 UTC by Curtis Matthews
Modified: 2021-09-09 13:34 UTC (History)
10 users (show)

Fixed In Version: 5.10.0.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1578865 1578866 (view as bug list)
Environment:
Last Closed: 2018-07-30 14:43:55 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
error image (26.51 KB, image/gif)
2018-03-30 15:00 UTC, Curtis Matthews
no flags Details

Description Curtis Matthews 2018-03-30 15:00:54 UTC
Created attachment 1415144 [details]
error image

Description of problem:
When a user with capital letters in their username logs in to CFME via SAML, the initial dashboard shows an error.  Upon clicking to other areas of the UI, the error goes away and normal operations resume.

Version-Release number of selected component (if applicable):
5.8.3.4

How reproducible:
Every time

Steps to Reproduce:
1.  Configure SAML
2.  User with capital letters in username logs in
3.  Dashboard shows error

Actual results:
Error loading dashboard

Expected results:
No error

Additional info:

Comment 2 Dave Johnson 2018-03-30 15:04:20 UTC
Please assess the impact of this issue and update the severity accordingly.  Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.

If it's something like a tracker bug where it doesn't matter, please set the severity to Low.

Comment 4 Dave Johnson 2018-03-30 15:44:35 UTC
Please assess the impact of this issue and update the severity accordingly.  Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.

If it's something like a tracker bug where it doesn't matter, please set the severity to Low.

Comment 5 Joe Vlcek 2018-04-02 17:06:36 UTC
I’m not sure where that error would be coming from. It appears to be after the authentication and authorization has completed successfully so I would expect it happened after that.

We would need more information to debug.

Please see this section of this blog post for a list of items that would help
engineering debug this.

http://manageiq.org/blog/2018/01/troubleshooting-auth/#reporting-authentication-issues

Comment 7 Joe Vlcek 2018-04-05 18:29:02 UTC
Michael,

Thank you for the provided information!

My understanding is that at login if a mixed case userid is specified, e.g.:
"Kurt Sherman", that an error dialog is presented. Once the error is dismissed
user "kurt sherman" (all lowercase) is created and the appliance functions as
expected.


The provided logs have no indication of the error or the failing user "Kurt Sherman". I suspect the logs you have provided have been logroated
since the error.

What SAML server are they using?
Is the userid in the SAML server mixed or is it all lowercase. keycloak will not allow mixed case userids. When creating a new user if mixed case is entered for he userid it is converted to all lowercase.

I have tried but am unable to reproduce this with 5.8.3.5 and 5.9.2.0 by entering
a mixed case userid on the login screen.

1. Please try updating to 8.3.5 or newer if possible.

2. Please report what the userid is as stored in the SAML server.

3. If the bogus error message persists please capture the logs immediately after the
error dialog is observed.

4. Please confirm my understanding that the issue is a bogus error dialog, that once
dismissed the appliance works as expected.

Comment 15 CFME Bot 2018-05-01 14:29:46 UTC
New commit detected on ManageIQ/manageiq-api/master:

https://github.com/ManageIQ/manageiq-api/commit/ada986658ec9e7abddf6f31fd69d4a8143aa36c4
commit ada986658ec9e7abddf6f31fd69d4a8143aa36c4
Author:     Joe VLcek <jvlcek>
AuthorDate: Mon Apr 30 14:30:29 2018 -0400
Commit:     Joe VLcek <jvlcek>
CommitDate: Mon Apr 30 14:30:29 2018 -0400

    Downcase userid to match how it is stored in the DB.

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1562403

    If the authentication directory returns mixed case for the userid it
    needs to be downcased to match the way userids are stored in the DB.

    IBM Tivoli SAML can report usernames in mixed case. Most SAML servers do not.
    This PR will ensure mixed case usernames are downcased before comparing them
    to how they are stored in the DB.

 lib/services/api/user_token_service.rb | 1 +
 spec/lib/services/api/user_token_service_spec.rb | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

Comment 18 Dave Johnson 2018-07-30 14:43:55 UTC
Closing this as its already been verified in two z-streams and has test coverage around it.


Note You need to log in before you can comment on or make changes to this bug.