Bad redirection after SSO login

[swicsk]

Hello,

Znuny 6.5.11 LTS here with Apache Mellon as SSO module (IDP is RedHat SSO/Keycloak).

I'm having an issue when a user is not logged and is trying to reach a specific page (let's say AgentTicketZoom to read a ticket for instance).
Once SSO is done, Znuny does not redirect to the right page but at the homepage.

Let's break it down:

1. Agent opens:

Code: Select all

GET https://ZNUNY/otrs/index.pl?Action=AgentTicketZoom;TicketID=2944977

2. Znuny returns a redirection to:

Code: Select all

GET https://ZNUNY/otrs/index.pl?Action=PreLogin&RequestedURL=Action=AgentTicketZoom;TicketID=2944977

3. ...which calls CommonJS, which trigger:

Code: Select all

POST https://ZNUNY/otrs/index.pl

Arguments contain:

Code: Select all

"Action": "Login",
"RequestedURL": "Action=AgentTicketZoom;TicketID=2944977"

4. At this moment, a redirection is returned and the SSO procedure starts. Note the "Reason=LoginFailed" at this point:

Code: Select all

GET https://ZNUNY/sso/login?ReturnTo=/otrs/index.pl?Reason=LoginFailed&RequestedURL=Action%3DAgentTicketZoom%3BTicketID%3D2944977

5. IDP checks the SAML request:

Code: Select all

GET https://IDP/auth/realms/REALM/protocol/saml?SAMLRequest=<payload>

Arguments contain:

Code: Select all

RelayState: /otrs/index.pl?Reason=LoginFailed

6. Agent now authenticates itself.

7. IDP now redirects to

Code: Select all

POST https://ZNUNY/sso/postResponse

Payload contains:

Code: Select all

RelayState: /otrs/index.pl?Reason=LoginFailed

8. Now Znuny redirects to:

Code: Select all

GET https://ZNUNY/otrs/index.pl?Reason=LoginFailed

Agent lands now on the homepage and not /otrs/index.pl?Action=AgentTicketZoom;TicketID=2944977 as required.

My question is: why is Znuny returning the "Reason=LoginFailed" and how can I force the good redirection after SSO?

Thank you very much for your help.

Additional informations:

/opt/otrs/Kernel/Config.pm

Code: Select all

$Self->{'AuthModule'}  = 'Kernel::System::Auth::HTTPBasicAuth';
$Self->{'AuthModule1'} = 'Kernel::System::Auth::LDAP';
$Self->{'LoginURL'} = '/sso/login?ReturnTo=/otrs/index.pl';
$Self->{'LogoutURL'} = '/sso/logout?ReturnTo=/';

/etc/apache2/conf-enabled/mellon.conf

Code: Select all

SetEnv MELLON_DISABLE_SAMESITE 1

# Global Mellon configuration.
<Location />
	MellonEnable info
	MellonEndpointPath /sso
	MellonSPPrivateKeyFile /etc/apache2/mellon/client-private-key.pem
	MellonSPCertFile /etc/apache2/mellon/client-cert.pem
	MellonSPMetadataFile /etc/apache2/mellon/sp-metadata.xml
	MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
	#MellonMergeEnvVars On
	MellonUser NAME_ID
	MellonSetEnvNoPrefix REMOTE_USER NAME_ID
</Location>

# Guard web interface only.
<Location /(znuny|otrs)/index.pl>
	AuthType Mellon
	MellonEnable auth
	Require valid-user
	MellonPostReplay On
	MellonSecureCookie On
	MellonDefaultLoginPath "/otrs/index.pl"
	MellonCookieSameSite none
</Location>

[paulfolkers]

Hi Cyriaque,

I have not yet used Mellon with Apache, so I can't give you any qualified information on this.
But the first thing I would probably check are the following config options:

Config.pm:

Code: Select all

$Self->{'LoginURL'} = '/sso/login?ReturnTo=/otrs/index.pl';

and
mellon.conf:

Code: Select all

MellonDefaultLoginPath "/otrs/index.pl"

Maybe you could try to comment these options and see what happens.
For Config.pm you could also try to remove the "ReturnTo" string in the LoginURL, to make sure it doesn't redirect on every login. I'm not 100% sure how this option works, I usually don't use it in customer projects with Kerberos SSO.

Probably you should change them one by one for testing - not both at one time.


Best Regards!