-
Notifications
You must be signed in to change notification settings - Fork 738
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(saml): ensure session cookie survives idp redirect (#801)
Fixes an issue where the session cookie was being marked SameSite by the boot2 upgrade and as a result we would lose an existing session / start a new session after redirect back from the IdP. No longer requires EmptyStorageFactory (went in as a workaround for this issue initially), and fixes redirect after login back to the original request URI being busted.
- Loading branch information
1 parent
000f9e6
commit 271bfab
Showing
2 changed files
with
7 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
271bfab
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't say with 100% certainty that this is related, but it seems like it's worth mentioning here.
So today we tried using master-latest-unvalidated in one of our dev environments because we desperately need a feature that's coming out in 1.14 and I needed to give a team time to work on it. Prior to this we were running 1.13.6.
After upgrading to master-latest-unvalidated my Google oauth authentication tried and failed even though the configuration hadn't changed at all between versions.
After some time hunting down the issue, I was able to see that the redirect_uri that we are passing to the Service Provider has changed. It was previously passing more or less that gateurl/login, but all of a sudden it was sending a google nternal ip/login. This resulted in an error from google saying
I was able to correct the redirect URI by using the following halyard command, but it's strange that we've never had to do this for any of our other instances
Again I'm not 100% certain that this is the cause of the issue I'm seeing, but it seems like a possibility.
I'm on Spinnaker Slack with the name Chuck Lane if you need any additional Info.
271bfab
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we have similar --pre-established-redirect-uri to ldap authentication also? Currently ldap auth does not have it