SSO does not work with Secure pages
| Project: | Single sign on |
| Version: | 6.x-1.0-rc1 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | postponed (maintainer needs more info) |
Jump to:
on sites using SSO, if you use secure pages , and configure it to use SSL for admin/*, it always gives an access denied error and you cannot use the admin anymore. the browser shows the following URL
http://site2/singlesignon/claim?nonce=c1182da1672514f0&origin=https%3A/%....
if you try to logon you get the following error
user warning: Data too long for column 'referer' at row 1 query: INSERT INTO watchdog (uid, type, message, variables, severity, link, location, referer, hostname, timestamp) VALUES (1, 'access denied', 'user/login', 'N;', 4, '', 'https://sso/user/login?origin=http%3A%2F%2Fsite2%3Fnonce%3Dc1182da1672514f0%26origin%3Dhttps%253A%252F%25252Fsite2%252Fadmin%252Fcontent%252Fnode%26request_id%3D24e7e440c4e17aaf%26auth%3D106c954f86867453bca30541&auth=775ba480229e92182538102b', 'http://site2/singlesignon/claim?nonce=c1182da1672514f0&origin=https%3A/%252Fsite2/admin/content/node&request_id=24e7e440c4e17aaf&auth=106c954f86867453bca30541', '127.0.0.1', 1254808402) in ...\modules\dblog\dblog.module on line 144.
will this issue be fixed?
#1
I just tried SSO with https and it works. Let me install Secure pages and we will see.
#2
I really didn't find any problem with Secure Pages.
Just configure your controller site to use HTTPS, then on your client sites, set up SSO to use https:// for the controller. That will make sure that anytime you Log-in, it's going to be transfered securely. SSO Controller redirected me back to http://client, then i went to http://client/admin and got redirected to https://client/admin - no problem.
Can you please try to describe it a little bit further?
#3
sorry that i didn't get a chance to give you more info. this is how you can reproduce the problem.
1. log on to the client site (site2), changed the URL to https://site1 (site1 is the controller)
2. changed the $base_url in settings.php for controller site to https://site1
3. enabled secure pages on site2
4. choose the following configuration for secure pages under admin/build/securepages
a. enable the secure pages
b. Choose "Switch back to http pages when there are no matches"
c. provide non-secure url (http://site2) and secure url (https://site2)
d. select only user/* and admin* for "make secure only the listed pages"
e. save configuration.
5. after this click on "administer" in site2 and the following error occurs
http://site2/singlesignon/claim?nonce=d0a53a473871d80b&origin=https%3A/%...
after this the admin url is not accessible at all. the only way is to disable the securepages module in database.
#4
I think this might be a problem in Secure Site than SSO, I don't have time to investigate it right now, I'll get back to it later.
#5
hello,
the shared sign on is not recommended by the security team and recommended one is the sso project. however secure pages does not work well with this. see above (http://drupal.org/node/596918) for more details on how to reproduce the problem. any chance to fix this since sso is the future,
thanx
#6