Epic to link all support issues located in Dev projects (SUP-12)

[MODLOGSAML-69] No valid subject assertion found in response SSO Created: 03/Aug/20  Updated: 05/Aug/20  Resolved: 04/Aug/20

Status: Closed
Project: mod-login-saml
Components: None
Affects versions: None
Fix versions: None
Parent: Epic to link all support issues located in Dev projects

Type: Bug Priority: P2
Reporter: Anya Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Attachments: File Log in - FOLIO - Google Chrome 2020-08-03 11-02-29_Trim.mp4    
Issue links:
Relates
relates to MODLOGSAML-70 Periodically recreate SAML clients Open
relates to MODLOGSAML-71 Login via SSO possible even after dec... Closed
Sprint:
Affected Institution:
Chalmers
Epic Link: Epic to link all support issues located in Dev projects

 Description   

Steps to reproduce:
1. Go to chalmers.folio.ebsco.com
2. Click Log in via SSO to sign in as a staff user
3. On the Chalmers login page, log in with your credentials

Expected result: I am redirected to the FOLIO landing page, where I can see my apps ans start working.

Actual result: I am redirected to a blank page with only the text ”No valid subject assertion found in response”. Further details: I tested this a few times (in incognito mode). Some of the times the ”No valid subject assertion found in response” message showed up after the Chalmers login page, as stated above, some times just after I had clicked Log in via SSO. Every time I was able to get past the error page and on into FOLIO by refreshing the page one or two times. When I got the error message, I also noted a failed POST request in developer tools. I'll attach an image of that later. In dev tools, I noted that the error message comes from a failed POST request to https://okapi-chalmers.folio.ebsco.com/_/invoke/tenant/fs00001000/saml/callback. Will add more details about that in a comment. See attached screencast for a full walkthrough of the steps.

Interested parties: Lisa Sjögren

Could be related to : https://folio-org.atlassian.net/browse/MODLOGSAML-28



 Comments   
Comment by Anya [ 03/Aug/20 ]

Anton Emelianov- could we have library priority added to this - and it is high

Comment by Anton Emelianov (Inactive) [ 03/Aug/20 ]

Anya, the "Customer Priority" filed has been added to the UX project and I set it to "Important" which is 1 below "Critical". Why are you creating this bug in the UX project?

Comment by Anya [ 03/Aug/20 ]

Changed the project to Mod-log-saml

Comment by Craig McNally [ 04/Aug/20 ]

I was able to reproduce this on the Chalmers site only. I do not see the issue when using folio-testing/ssocircle for example.

At the request of Lisa Sjögren I'm moving part of a conversation here for additional contex and continuing the conversation here.

Craig McNally
Has anything changed recently, either on the IdP or FOLIO side?

Lisa Sjögren
The Chalmers SSO service had some kind of emergency certificate change about a few weeks ago, that apparently caused some temporary login problems. Unfortunately I don't know the details, as I was on vacation at the time (and those who were there are on vacation now).
The most recent change to FOLIO that I can think of is the upgrade to Fameflower back in May. I suspect if that had been the cause of this we would have noticed it earlier, since everyone typically has to log in again after an upgrade.

Comment by Craig McNally [ 04/Aug/20 ]

emergency certificate change about a few weeks ago, that apparently caused some temporary login problems

Lisa Sjögren where can I get more detail on this?

Comment by Craig McNally [ 04/Aug/20 ]

Hearing that, my gut reaction is that FOLIO is unable to verify the message signature, or decrypt the saml assertion. What's confusing to me is that if there was a change that required us to update the keystore in FOLIO, why does it work when you refresh the page after getting this error... I'm beginning to wonder if there's more than just one issue here.

Comment by Lisa Sjögren [ 04/Aug/20 ]

Craig McNally This is all the information I have right now, from Lari Kovanen who is currently on vacation (my translation): "FOLIO needs to refetch the metadata from Chalmers SSO since it has changed its certificate. I tried to trigger this by editing the SSO config, which did not solve the problem so we'll need to contact support about this."

Another colleague who is now also on vacation told me that the above problem had been resolved, but I don't know how or which support (if any) was contacted about it.

Comment by Lisa Sjögren [ 04/Aug/20 ]

Interesting! It's like a Kinder egg of issues.
I'll see if I can dig out some more info about the signature change.

Comment by Craig McNally [ 04/Aug/20 ]

Right, I'm thinking that we need to regenerate the SP metadata on the FOLIO side and then update the IdP with this new metadata. I can only do the first part. I'll need help from someone at Chalmers for the 2nd part

Comment by Craig McNally [ 04/Aug/20 ]

Let me try restarting the module... that might be enough, though I kinda doubt it.

Comment by Craig McNally [ 04/Aug/20 ]

OK that actually seems to have worked. I can no longer reproduce this problem.

I'm still a little concerned that a refresh after the error succeeded.

Comment by Anya [ 04/Aug/20 ]

Restart cleared the issue.

Comment by Craig McNally [ 04/Aug/20 ]

Lisa Sjögren assigning to you and moving to review status... Please verify this has been resolved. If so we can close it.

Comment by Craig McNally [ 04/Aug/20 ]

oh, never mind, I see it's already closed

Comment by Lisa Sjögren [ 05/Aug/20 ]

Ok, great!

I actually had trouble reproducing it already yesterday (before you restarted the module), figured maybe there was some incognito mode-surpassing browser-level caching going on that sort of let me bypass the problem. (Had only tried Chrome and Firefox, so was going to test it in Edge today – unfortunately the login page didn't load at all in there....:'D )

I'll keep my fingers crossed that the restart did the trick, and ask my colleagues – a lot of whom will be forced to log in anew after vacation – to let us know if the issue reappears.

Generated at Fri Feb 09 00:25:23 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.