fix: preserve saml idp redirect on device trust web auth#54530
fix: preserve saml idp redirect on device trust web auth#54530flyinghermit merged 9 commits intomasterfrom
Conversation
|
I went ahead to keep the existing implementation as it is with this patch, but the current way of passing SAML redirect url is prone to breaking in future. Upon looking at all the hops that the |
|
Manually tested following conditions:
|
flyinghermit
added
the
no-changelog
| const SAML_SP_INITIATED_SSO_PATH = '/enterprise/saml-idp/sso'; | ||
| const SAML_IDP_INITIATED_SSO_PATH = '/enterprise/saml-idp/login'; |
There was a problem hiding this comment.
SAML_SP_INITIATED_SSO_PATH is already defined in cfg routes, should we also define the /login in cfg api path too so we can have a single place to get this const?
There was a problem hiding this comment.
Good point. Looking at these, I might just keep a single definition with /enterprise/saml-idp path. Let me keep this as is for now and I will check how the value can be shared and understood for all the use cases.
avatus
left a comment
avatus
left a comment
There was a problem hiding this comment.
my comment isnt a blocker btw, i dont care about tests spelling
public-teleport-github-review-bot
Bot
removed the request for review
from smallinsky
|
@flyinghermit See the table below for backport results.
|
* handle saml idp sso redirection in deviceWebConfirm * preserve url search property for saml idp sso path * connect: use decodeURI to launch unauthorized session url * handle idp initiated sso url * remove decodeURI from buildUnauthorizedSessionUrl * fix test case name typo
…5048) * handle saml idp sso redirection in deviceWebConfirm * preserve url search property for saml idp sso path * connect: use decodeURI to launch unauthorized session url * handle idp initiated sso url * remove decodeURI from buildUnauthorizedSessionUrl * fix test case name typo
3 participants
Fixes #54121
Issue:
/webpath was expected as default, which didn't handle SAML IdP paths and query strings/enterprise/saml-idp/ssoand/enterprise/saml-idp/login.Fix:
/enterprise/saml-idp/sso, IdP initiated SSO path/enterprise/saml-idp/loginand respond with full redirect URL instead of a prefixed/webpath after device authentication confirmation.http.Errorin case of an error.Background on SAML IdP login redirection:
During SAML IdP authentication the user is redirected to authentication page under two scenarios:
For each redirection, IdP preserved original request format by URL encoding them and appending them to redirect_uri query. This URL encoded query broke during device trust web authentication ceremony as the value is parsed in UI, Connect and device verification handler.