Task #3619
closed
logging into wiki requires manual approval of SSO account?
Added by Kyle Sorkness over 2 years ago.
Updated over 2 years ago.
Description
I have a new (created yesterday) TDF SSO account.
Clicking "Log in" on the wiki took me to https://auth.documentfoundation.org/saml/singleSignOn?SAMLRequest=pZL[...], which displayed the error message "A required attribute is not available" and which did not log me into the wiki.
It was only after requesting and receiving manual approval for my SSO account to work with Redmine that I noticed I am now able to log into the wiki as well.
Is that intentional? If so, would it be possible for such failed log-in attempts to provide a note, like the one provided when trying to log into Redmine without manual approval, explaining that one must request manual approval and how to do so?
[I'm not sure whether to categorize this as "Single Sign-On" or "Wiki" and so am leaving uncategorized.]
- Status changed from New to Closed
- Assignee set to Guilhem Moulin
No it doesn't. Access is granted automatically, but there can be a slight delay during which the account isn't granted access yet. So depending on the outcome of the race condition folks who try to log in too quickly might have to relogin or wait for the session to expire. This a known issue but low-ish priority for the moment.
Thanks for the clarification.
Just for reference, in case this is useful for anyone to know: That "slight delay" for me was about 24 hours. (Created SSO account around 19:12 UTC yesterday. Successfully logged into wiki for first time, after many failed attempts, around 19:30 UTC today. That successful log in came just minutes after my SSO account was manually approved for Redmine. I had unsuccessfully tried logging into the wiki as recently as probably just about 10 minutes before my account was manually approved for Redmine, making me think the two were connected. And I had tried logging out and back into my SSO account multiple times today, including shortly before the Redmine approval, without that making any difference to my wiki-login attempts. But, given what you've said, this must have just been a wild coincidence or—more likely!—something else I was doing incorrectly, then.)
That "slight delay" for me was about 24 hours.
Ah no these 24h is the lifetime of the session, you would have managed to authenticate sooner if you had logged out from SSO, restarted your browser, or removed the cookie — but of course I agree it's not obvious…
What I was referring by “slight delay” is the time during which the race condition might end up one way of the other, and that's ~2min IIRC. In other words, if you try to sign in to the wiki at least 2min after signing to SSO you should be safe, otherwise you might have to manually logout or wait for the session to expire. Sorry for the inconvenience.
Also available in: Atom
PDF