[ProjectSCZ-FIAM] enrolment cookie monster

Fri Dec 15 09:09:40 CET 2017

Hallo Mark,

Ja het wordt tijd dat we precies gaan snappen wat er hier fout gaat en dat er een oplossing voor komt. Voor de gebruiker is dit niet fijn en wij kunnen niet verwachten dat gebruikers spontaan snappen dat een private window een work around is.

Dank je wel voor het nogmaals onder de aandacht brengen.

Groeten,
Gerben

> On 14 Dec 2017, at 18:43, <M.A.Santcroos at lumc.nl> <M.A.Santcroos at lumc.nl> wrote:
> 
> Hi all,
> 
> Tijdens mijn COmanage roadshow ;-) kwam ik vandaag weer bij een organisatie om te laten zien wat we hadden gedaan.
> We gebruikte de Google IDP, de hele enrolment ging weer goed, tot het punt dat ik als CO admin de gebruiker had geapproved en hij vervolgens niet kon inloggen omdat zn browser sessie in de pre-approved state bleef hangen. (Een private window boodt uiteindelijk weer uitkomst)
> Ik denk dat ook in dit geval de user al geauthenticeerd was met zn IDP voordat we het COmanage riedeltje begonnen, maar dat weet ik niet 100% zeker ...
> 
> Aangezien dit dus nu met de Google IDP was zou het ook aan SURF kant te reproduceren moeten zijn!
> 
> Groet,
> 
> Mark
> 
>> On 5 Dec 2017, at 17:07 , Pieter Neerincx <pieter.neerincx at gmail.com> wrote:
>> 
>> Hi Mark,
>> 
>> We've seen this several times before, but it is hard te reproduce. Normally it should be a binary situation: either you've authenticated using SURFconext or you have not, but sometimes you get stuck in a semi-authenticated half-baked session :o. Restarting the web browser (which in my config clears all caches/cookies/etc.) or starting a private session resolves the issue...
>> 
>> Cheers,
>> 
>> Pi
>> 
>>> On 5 Dec 2017, at 16:52, Gerben Venekamp <gerben.venekamp at surfsara.nl> wrote:
>>> 
>>> Hello Mark,
>>> 
>>>> On 5 Dec 2017, at 16:46, <M.A.Santcroos at lumc.nl> <M.A.Santcroos at lumc.nl> wrote:
>>>> 
>>>> Hi,
>>>> 
>>>> I just asked a collegaue to sign up.
>>>> 
>>>> He wasn't asked for a password. (Did he still have a SSO session active?)
>>> 
>>> If he was not redirected to his IdP (LUMC I presume), then yes. Had he done the same enrolment from a private session, he should have been redirected to his IdP where he should be asked for his credentials.
>>> 
>>>> 
>>>> After he was approved by me, he wasn't able to login, and he kept getting the message "The identifier "89604-lumcnet at lumc.nl" is not registered. If your request for enrollment is still being processed, you will not be able to login until it is approved. Please contact an administrator for assistance." when he went to the COmanage website.
>>> 
>>> Did the user read his mail and has he confirmed his e-mail address?
>>> Did you actually approve his enrolment?
>>> 
>>>> 
>>>> Only after he went to a private window, he was asked for his credentials, and was able to login and add his ssh key.
>>> 
>>> Ah, yes. That is in line with what I said above.
>>>> 
>>>> Did people try this outside of private session? (I generally don't …)
>>> 
>>> You shouldn’t really. Normal users should not be bothered by cookies and such.
>>> -------------------------------------------------------------
> 
> _______________________________________________
> ProjectSCZ-FIAM mailing list
> ProjectSCZ-FIAM at list.surfnet.nl
> https://list.surfnet.nl/mailman/listinfo/projectscz-fiam

----
 Gerben Venekamp

| Advisor DPS ∙ SURFsara ∙ Science Park 140 ∙ 1098 XG ∙ Amsterdam |
| T +31 (0) 20 800 1300 ∙ https://surfsara.nl <https://surfsara.nl/>                     |
| Available on: Mon, Tue, Wed, Thu. Not available on Fri          |
We are ISO 27001 certified and meet the high requirements for information security.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.surfnet.nl/mailman/private/projectscz-fiam/attachments/20171215/710bcb38/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://list.surfnet.nl/mailman/private/projectscz-fiam/attachments/20171215/710bcb38/attachment.sig>