glpi icon indicating copy to clipboard operation
glpi copied to clipboard
verified publisher icon glpi-project

GLPI 10.0.0: GLPI with LDAP and SSO adds "&noAUTO=1" in notification links leading to break SSO

Open kodicd opened this issue 4 years ago • 16 comments

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

Is there an existing issue for this?

  • [X] I have searched the existing issues

Version

GLPI 10.0.2

Bug description

Hi, we’re using GLPI with LDAP and SSO. There has been a change where a link in notifications now behaves differently:

Example: https://glpi/index.php?redirect=SoftwareLicense_123&noAUTO=1

In our case the “&noAUTO=1” was not really interpreted in the past with previous versions (when an SSO-session did not take place before opening the link one had to refresh and SSO took place again) – what it does now is breaking the SSO-experience (login-site shows up). The whole issue seems not be be new and was already fixed in the past with GLPI 9.1.2:

https://glpi.userecho.com/en/communities/1/topics/339-remove-noauto1-url-parameter-from-email-notifications and https://github.com/glpi-project/glpi/issues/1744

  • “Added Auth::LDAP to prevent adding of noAuto=1” (Fixes #1744)

Best, Carsten

Relevant log output

No response

Page URL

No response

Steps To reproduce

No response

Your GLPI setup information

No response

Anything else?

No response

kodicd avatar May 03 '22 06:05 kodicd

PS: SSO is done with "Fields storage of the login in the HTTP request": "REMOTE_USER".

kodicd avatar May 03 '22 07:05 kodicd

Any news about it?

scarpio97 avatar Jun 21 '22 09:06 scarpio97

I can only tell this is not an issue with all notifications send out by GLPI...

kodicd avatar Jun 22 '22 13:06 kodicd

There has been no activity on this issue for some time and therefore it is considered stale and will be closed automatically in 10 days.

If this issue is related to a bug, please try to reproduce on latest release. If the problem persist, feel free to add a comment to revive this issue. If it is related to a new feature, please open a topic to discuss with community about this enhancement on suggestion website.

You may also consider taking a subscription to get professionnal support or contact GLPI editor team directly.

github-actions[bot] avatar Aug 22 '22 08:08 github-actions[bot]

We currently have this issue since we updated to 10.0.0, we have to login after clicking in email link

chnateag avatar Aug 24 '22 08:08 chnateag

Again, this still is an issue with some (not all) mail notifications: Problem still exists with GLPI 10.0.2.

kodicd avatar Aug 24 '22 09:08 kodicd

There has been no activity on this issue for some time and therefore it is considered stale and will be closed automatically in 10 days.

If this issue is related to a bug, please try to reproduce on latest release. If the problem persist, feel free to add a comment to revive this issue. If it is related to a new feature, please open a topic to discuss with community about this enhancement on suggestion website.

You may also consider taking a subscription to get professionnal support or contact GLPI editor team directly.

github-actions[bot] avatar Oct 24 '22 08:10 github-actions[bot]

There has been no activity on this issue for some time and therefore it is considered stale and will be closed automatically in 10 days.

If this issue is related to a bug, please try to reproduce on latest release. If the problem persist, feel free to add a comment to revive this issue. If it is related to a new feature, please open a topic to discuss with community about this enhancement on suggestion website.

You may also consider taking a subscription to get professionnal support or contact GLPI editor team directly.

github-actions[bot] avatar Dec 25 '22 08:12 github-actions[bot]

This still is an issue with some (not all) mail notifications: Problem still exists with GLPI 10.0.3.

kodicd avatar Dec 27 '22 09:12 kodicd

This still is an issue with some (not all) mail notifications: Problem still exists with GLPI 10.0.3.

Can you give a list of related notifications, and what was the notification target ?

cedric-anne avatar Jan 30 '23 10:01 cedric-anne

Hi, thanks for coming back to me, I'm on GLPI 10.0.6 now, I'll wait for such a notification to appear and come back to you (might take some time).

kodicd avatar Jan 30 '23 10:01 kodicd

No feedback, I close

trasher avatar Feb 17 '23 11:02 trasher

This is still an issue onm 10.0.7 btw. Not sure why it got trashed.

chestnutbak avatar Aug 31 '23 04:08 chestnutbak

It was closed because I did not respond in time. Issue is still present with 10.0.9, the facts are as follows:

  • Some (few) Links in GLPI reminder-mails carry at the end the mentioned string "&noAUTO=1"
  • If one is NOT already authenticated (via SSO) login-screen comes up
  • If you've already used GLPI (by calling base URLs, by calling links which do not contain "&noAUTO=1") one is authenticiated, login-screen is NOT shown --> that is why it was rather hard to track the issue in daily business

kodicd avatar Sep 04 '23 06:09 kodicd

Hi,

Not really sure why this noAUTO parameter is added to notification links. If the goal is to ensure that the link will NOT be open on a session that was not open by the email recipient, then a better solution would be to add a uid=sha1($_SESSION['glpiID']) param to the link, and then, in the redirect process, force the logout only if the uid parameter does not match the connected user.

cedric-anne avatar Sep 14 '23 11:09 cedric-anne

We have just migrated, and I confirm the same issue in the emails. We have links with noAUTO=1, which doesn't redirect authentication to CAS.

wixaw avatar Nov 08 '23 10:11 wixaw