SimpleSAML SSO Authentication Fails on Xinet 2021.4 or later

Overview

Starting in 2021.4, Simple Saml SSO authentication has begun failing, and users are being redirected back to the main index.php login page. You find that replacing /usr/etc/portal/PORTAL/libs/SECURITY.obj.php with the 2021.3 version appears to resolve the invalid redirection. Reviewing the HTTP error log reveals the Portal Welcome Message is appearing, along with the PHP notice/warnings shown below:

  • [php7:notice] [pid 22336] [client 1.2.3.4] PHP Notice: [PORTAL] Welcome user 'user@domain.com', from client '1.2.3.4'. (0), SIMPLESAML.php in /usr/etc/portal/PORTAL/libs/SECURITY.obj.php on line 781, referer: https://domain.samlprovider.com/
  • [php7:notice] [pid 22336] [client 1.2.3.4] PHP Notice: Trying to access array offset on value of type null in /usr/etc/portal/PORTAL/libs/PORTAL.obj.php on line 2661, referer: https://domain.samlprovider.com/
  • [php7:warn] [pid 22336] [client 1.2.3.4] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/etc/portal/PORTAL/libs/PORTAL.obj.php on line 2666, referer: https://domain.samlprovider.com/

 

Solution

As part of the forced SSL security changes in Xinet 2021.4, the Session Cookies are being assigned as SameSite=Strict. This is intended behavior for the purpose of hardening Portal Site security. A feature request has been submitted for review to consider adding the ability to toggle this behavior within the Xinet UI. 

Workaround

If the use of the SSO SAML authentication is required, you can make use of the Apache Headers module to rewrite the SameSite cookies and set them to "SameSite=None" to temporarily resolve this trouble. 

Note: As this behavior change was made to improve the security of Portal Sites, reverting this change has the potential to reduce the overall security of your site. Please discuss this with your System Administrator before proceeding with making the changes below. This will force the "None" value for all SameSite cookies.
  1. Edit /etc/httpd/conf/httpd.conf

    mceclip0.png

  2. Add the following header config within the "Supplemental Configuration" section:
    Header onsuccess edit Set-Cookie (.*) "$1;SameSite=None​"
  3. Ensure the Header module(mod_headers.so) exists in /etc/https/modules/
  4. Restart Apache:
    systemctl restart httpd

 

Comments

0 comments

Please sign in to leave a comment.