Starting in 2021.4, Simple Saml SSO authentication has begun failing, and users are being redirected back to the main index.php login page. You find that replacing /usr/etc/portal/PORTAL/libs/SECURITY.obj.php with the 2021.3 version appears to resolve the invalid redirection. Reviewing the HTTP error log reveals the Portal Welcome Message is appearing, along with the PHP notice/warnings shown below:
- [php7:notice] [pid 22336] [client 184.108.40.206] PHP Notice: [PORTAL] Welcome user 'firstname.lastname@example.org', from client '220.127.116.11'. (0), SIMPLESAML.php in /usr/etc/portal/PORTAL/libs/SECURITY.obj.php on line 781, referer: https://domain.samlprovider.com/
- [php7:notice] [pid 22336] [client 18.104.22.168] PHP Notice: Trying to access array offset on value of type null in /usr/etc/portal/PORTAL/libs/PORTAL.obj.php on line 2661, referer: https://domain.samlprovider.com/
- [php7:warn] [pid 22336] [client 22.214.171.124] PHP Warning: count(): Parameter must be an array or an object that implements Countable in /usr/etc/portal/PORTAL/libs/PORTAL.obj.php on line 2666, referer: https://domain.samlprovider.com/
As part of the forced SSL security changes in Xinet 2021.4, the Session Cookies are being assigned as SameSite=Strict. This is intended behavior for the purpose of hardening Portal Site security. A feature request has been submitted for review to consider adding the ability to toggle this behavior within the Xinet UI.
If the use of the SSO SAML authentication is required, you can make use of the Apache Headers module to rewrite the SameSite cookies and set them to "SameSite=None" to temporarily resolve this trouble.
- Edit /etc/httpd/conf/httpd.conf
- Add the following header config within the "Supplemental Configuration" section:
Header onsuccess edit Set-Cookie (.*) "$1;SameSite=None"
- Ensure the Header module(mod_headers.so) exists in /etc/https/modules/
- Restart Apache:
systemctl restart httpd