Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

honor redirect to SAML SSO path if user is already authenticated #50436

Merged
merged 8 commits into from
Dec 20, 2024
Merged

honor redirect to SAML SSO path if user is already authenticated #50436

merged 8 commits into from
Dec 20, 2024

Conversation

flyinghermit
Copy link
Contributor

@flyinghermit flyinghermit commented Dec 19, 2024
edited
Loading

In authenticated session, we always used to redirect to root path /web. This was done to prevent showing up Login form for users who are already authenticated but land on the https://proxy/web/login?redirect_uri=... path. This breaks SAML IdP service provider initiated SSO flow when user is already authenticated but is redirected to the root login page.

This PR updates such redirection behaviour in the UI so that if user has a valid web session, and the redirection path matches enterprise/saml-idp/sso path, the UI will honor the redirection to let user continue with SAML SSO. For non-matching path, the existing behavior of redirecting to the root /web path is preserved.

changelog: updates the UI login redirection service to honor redirection to enterprise/saml-idp/sso path even if user is already authenticated with Teleport.

@flyinghermit flyinghermit mentioned this pull request Dec 19, 2024
Merged
@flyinghermit flyinghermit marked this pull request as ready for review December 19, 2024 16:56
@github-actions github-actions bot requested review from avatus and kiosion December 19, 2024 16:57
@flyinghermit flyinghermit requested review from kimlisa and removed request for avatus and kiosion December 19, 2024 16:57
@flyinghermit flyinghermit changed the title Redirect if path is SAML IdP SSO path honor redirect to SAML SSO path if user is already authenticated Dec 19, 2024
flyinghermit
flyinghermit commented Dec 19, 2024
View reviewed changes
web/packages/teleport/src/Login/useLogin.test.tsx
expect(history.push).toHaveBeenCalledWith(samlIdPPath, true);
});

it('non-base domain redirects with base domain for a matching "/enterprise/saml-idp/sso"', async () => {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We update any other domain to base domain. This test covers that scenario.

Though, this behavior does not sit well with me and I plan to do a followup on idea of rejecting non-base URL instead of replacing it with base URL.

@flyinghermit flyinghermit added this pull request to the merge queue Dec 20, 2024
Merged via the queue into master with commit 8f91da0 Dec 20, 2024
41 checks passed
@flyinghermit flyinghermit deleted the sshah/redirect-on-saml-sso-path branch December 20, 2024 15:29
@public-teleport-github-review-bot
Copy link

@flyinghermit See the table below for backport results.

Branch Result
branch/v15 Failed
branch/v16 Failed
branch/v17 Failed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kimlisa kimlisa kimlisa approved these changes

@r0mant r0mant r0mant approved these changes

Assignees
No one assigned
Labels
backport/branch/v15 backport/branch/v16 backport/branch/v17 size/md ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@flyinghermit @r0mant @kimlisa