Public bug reported:
It has been noticed that SAML authentication fails during the
postResponse stage of SAML authentication the error presented to the
user is
```
Bad Request
Your browser sent a request that this server could not understand.
```
When enabling debugging of Apache2 Mellon (/etc/apache2/mods-
enabled/auth_mellon.conf)
```
MellonDiagnosticsFile /var/log/apache2/mellon_diagnostics.log
MellonDiagnosticsEnable On
```
and looking in `/var/log/apache2/mellon_diagnostics.log` you can see
failed requests with the following error.
```
User has disabled cookies, or has lost the cookie before returning from the
SAML2 login server.
```
Upon closer inspection it is clear the `mellon-cookie` is missing as it
should be created before being redirected to the SAML IdP. However, in
Google Chrome, this cookie is not being created hence the error above.
Users can manually create the cookie via developer tools however this
not appropriate solution. A temporary solution has been to edit
`/etc/apache2/mods-enabled/auth_mellon.conf` with the following
```
SetEnv MELLON_DISABLE_SAMESITE 1
```
Which has resolved the issue at the cost of disabling SAMESITE cookies.
This problem has been noticed after Zed upgrades and has persisted after an
Antelope upgrade.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/2076259
Title:
SAML authentication fails when SAMESITE cookies are used
Status in OpenStack Identity (keystone):
New
Bug description:
It has been noticed that SAML authentication fails during the
postResponse stage of SAML authentication the error presented to the
user is
```
Bad Request
Your browser sent a request that this server could not understand.
```
When enabling debugging of Apache2 Mellon (/etc/apache2/mods-
enabled/auth_mellon.conf)
```
MellonDiagnosticsFile /var/log/apache2/mellon_diagnostics.log
MellonDiagnosticsEnable On
```
and looking in `/var/log/apache2/mellon_diagnostics.log` you can see
failed requests with the following error.
```
User has disabled cookies, or has lost the cookie before returning from the
SAML2 login server.
```
Upon closer inspection it is clear the `mellon-cookie` is missing as
it should be created before being redirected to the SAML IdP. However,
in Google Chrome, this cookie is not being created hence the error
above.
Users can manually create the cookie via developer tools however this
not appropriate solution. A temporary solution has been to edit
`/etc/apache2/mods-enabled/auth_mellon.conf` with the following
```
SetEnv MELLON_DISABLE_SAMESITE 1
```
Which has resolved the issue at the cost of disabling SAMESITE
cookies.
This problem has been noticed after Zed upgrades and has persisted after an
Antelope upgrade.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/2076259/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
