← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #94394

[Bug 2076259] [NEW] SAML authentication fails when SAMESITE cookies are used

  Thread PreviousDate PreviousThread Next 
Public bug reported:

It has been noticed that SAML authentication fails during the
postResponse stage of SAML authentication the error presented to the
user is

```
Bad Request
Your browser sent a request that this server could not understand.
```

When enabling debugging of Apache2 Mellon (/etc/apache2/mods-
enabled/auth_mellon.conf)

```
MellonDiagnosticsFile /var/log/apache2/mellon_diagnostics.log
MellonDiagnosticsEnable On
```

and looking in `/var/log/apache2/mellon_diagnostics.log` you can see
failed requests with the following error.

```
User has disabled cookies, or has lost the cookie before returning from the SAML2 login server.
```

Upon closer inspection it is clear the `mellon-cookie` is missing as it
should be created before being redirected to the SAML IdP. However, in
Google Chrome, this cookie is not being created hence the error above.

Users can manually create the cookie via developer tools however this
not appropriate solution. A temporary solution has been to edit
`/etc/apache2/mods-enabled/auth_mellon.conf` with the following

```
SetEnv MELLON_DISABLE_SAMESITE 1
```

Which has resolved the issue at the cost of disabling SAMESITE cookies.


This problem has been noticed after Zed upgrades and has persisted after an Antelope upgrade.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2076259

Title:
  SAML authentication fails when SAMESITE cookies are used

Status in OpenStack Identity (keystone):
  New

Bug description:
  It has been noticed that SAML authentication fails during the
  postResponse stage of SAML authentication the error presented to the
  user is

  ```
  Bad Request
  Your browser sent a request that this server could not understand.
  ```

  When enabling debugging of Apache2 Mellon (/etc/apache2/mods-
  enabled/auth_mellon.conf)

  ```
  MellonDiagnosticsFile /var/log/apache2/mellon_diagnostics.log
  MellonDiagnosticsEnable On
  ```

  and looking in `/var/log/apache2/mellon_diagnostics.log` you can see
  failed requests with the following error.

  ```
  User has disabled cookies, or has lost the cookie before returning from the SAML2 login server.
  ```

  Upon closer inspection it is clear the `mellon-cookie` is missing as
  it should be created before being redirected to the SAML IdP. However,
  in Google Chrome, this cookie is not being created hence the error
  above.

  Users can manually create the cookie via developer tools however this
  not appropriate solution. A temporary solution has been to edit
  `/etc/apache2/mods-enabled/auth_mellon.conf` with the following

  ```
  SetEnv MELLON_DISABLE_SAMESITE 1
  ```

  Which has resolved the issue at the cost of disabling SAMESITE
  cookies.

  
  This problem has been noticed after Zed upgrades and has persisted after an Antelope upgrade.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2076259/+subscriptions
  Thread PreviousDate PreviousThread Next