Skip to content

Fix 500 when SAML authenticating at IAL2 after password reset#5531

Merged
mitchellhenke merged 5 commits intomainfrom
mitchellhenke/saml-fixing
Oct 22, 2021
Merged

Fix 500 when SAML authenticating at IAL2 after password reset#5531
mitchellhenke merged 5 commits intomainfrom
mitchellhenke/saml-fixing

Conversation

@mitchellhenke
Copy link
Contributor

@mitchellhenke mitchellhenke commented Oct 21, 2021
edited
Loading

Less common, but possible path to get a 500 is (NR link):

  1. Have a proofed account
  2. Go to an IAL2 SAML SP and start logging in
  3. Click forgot password, receive email, and change password
  4. Get asked for personal key, enter it
  5. Redirected to account page where you receive new personal key
  6. Go to IAL2 SAML SP and start log in again
  7. See a 500

This fix is similar to what we do in OIDC when facing the same circumstances:

identity-idp/app/controllers/openid_connect/authorization_controller.rb

Lines 119 to 122 in 23929e1

def prompt_for_password_if_ial2_request_and_pii_locked
return unless pii_requested_but_locked?
redirect_to capture_password_url
end

@mitchellhenke mitchellhenke marked this pull request as ready for review October 22, 2021 14:49
mitchellhenke
mitchellhenke commented Oct 22, 2021
View reviewed changes
spec/models/device_spec.rb Outdated
Copy link
Contributor Author

@mitchellhenke mitchellhenke Oct 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is completely unrelated, but it randomly failed while working on this so I tried to make it more resilient

solipet
solipet approved these changes Oct 22, 2021
View reviewed changes
Copy link
Contributor

@solipet solipet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, one optional comment.

app/controllers/saml_idp_controller.rb Outdated
Copy link
Contributor

@solipet solipet Oct 22, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could move this condition to a new method identity_needs_decryption? since it's used in two places and would match the other checks more nicely.

Copy link
Contributor Author

@mitchellhenke mitchellhenke Oct 22, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call, done in 69d0933!

@mitchellhenke mitchellhenke force-pushed the mitchellhenke/saml-fixing branch from 7f589ae to 69d0933 Compare October 22, 2021 19:04
@mitchellhenke mitchellhenke merged commit 299d118 into main Oct 22, 2021
@mitchellhenke mitchellhenke deleted the mitchellhenke/saml-fixing branch October 22, 2021 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@solipet solipet solipet approved these changes

@zachmargolis zachmargolis Awaiting requested review from zachmargolis

@stevegsa stevegsa Awaiting requested review from stevegsa

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mitchellhenke @solipet