[ProjectSCZ-FIAM] enrolment cookie monster

M.A.Santcroos at lumc.nl M.A.Santcroos at lumc.nl
Thu Dec 14 18:43:11 CET 2017 

Hi all,

Tijdens mijn COmanage roadshow ;-) kwam ik vandaag weer bij een organisatie om te laten zien wat we hadden gedaan.
We gebruikte de Google IDP, de hele enrolment ging weer goed, tot het punt dat ik als CO admin de gebruiker had geapproved en hij vervolgens niet kon inloggen omdat zn browser sessie in de pre-approved state bleef hangen. (Een private window boodt uiteindelijk weer uitkomst)
Ik denk dat ook in dit geval de user al geauthenticeerd was met zn IDP voordat we het COmanage riedeltje begonnen, maar dat weet ik niet 100% zeker ...

Aangezien dit dus nu met de Google IDP was zou het ook aan SURF kant te reproduceren moeten zijn!

Groet,

Mark

> On 5 Dec 2017, at 17:07 , Pieter Neerincx <pieter.neerincx at gmail.com> wrote:
> 
> Hi Mark,
> 
> We've seen this several times before, but it is hard te reproduce. Normally it should be a binary situation: either you've authenticated using SURFconext or you have not, but sometimes you get stuck in a semi-authenticated half-baked session :o. Restarting the web browser (which in my config clears all caches/cookies/etc.) or starting a private session resolves the issue...
> 
> Cheers,
> 
> Pi
> 
>> On 5 Dec 2017, at 16:52, Gerben Venekamp <gerben.venekamp at surfsara.nl> wrote:
>> 
>> Hello Mark,
>> 
>>> On 5 Dec 2017, at 16:46, <M.A.Santcroos at lumc.nl> <M.A.Santcroos at lumc.nl> wrote:
>>> 
>>> Hi,
>>> 
>>> I just asked a collegaue to sign up.
>>> 
>>> He wasn't asked for a password. (Did he still have a SSO session active?)
>> 
>> If he was not redirected to his IdP (LUMC I presume), then yes. Had he done the same enrolment from a private session, he should have been redirected to his IdP where he should be asked for his credentials.
>> 
>>> 
>>> After he was approved by me, he wasn't able to login, and he kept getting the message "The identifier "89604-lumcnet at lumc.nl" is not registered. If your request for enrollment is still being processed, you will not be able to login until it is approved. Please contact an administrator for assistance." when he went to the COmanage website.
>> 
>> Did the user read his mail and has he confirmed his e-mail address?
>> Did you actually approve his enrolment?
>> 
>>> 
>>> Only after he went to a private window, he was asked for his credentials, and was able to login and add his ssh key.
>> 
>> Ah, yes. That is in line with what I said above.
>>> 
>>> Did people try this outside of private session? (I generally don't …)
>> 
>> You shouldn’t really. Normal users should not be bothered by cookies and such.
>> -------------------------------------------------------------

More information about the ProjectSCZ-FIAM mailing list