Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SAML SSO behind https load balancer redirects back to http after authentication with id provider #15453

Open
2 tasks done
icelava opened this issue Sep 5, 2024 · 2 comments
Open
2 tasks done

SAML SSO behind https load balancer redirects back to http after authentication with id provider #15453

icelava opened this issue Sep 5, 2024 · 2 comments
Assignees
@uberbrady
Labels
❓ not sure if bug This issue has not been confirmed as a bug yet saml

Comments

@icelava
Copy link

icelava commented Sep 5, 2024
edited
Loading

Debug mode

Describe the bug

When we first tested out self-hosting Snipe-IT on local web server then on local Docker and Kubernetes, our SAML setup with Microsoft Entra Enterprise application worked fine when operating on plain http.

Now that we're moving to the next stage of an actual real-world production setup

Pre-flight setup, uploading and restoring backup file seemed to work fine. And the browser reload after restoration expectedly redirects to Microsoft. But on redirect back to Snipe-IT site, it times out. Turns out it was redirecting back to http://snipe-it.domain.net instead of https.

Not sure why it does this when APP_FORCE_TLS already true.

Reproduction steps

  1. SAML SSO with Entra ID Enterprise application already set up and working with previous site.
  2. Add new https URLs of target migration site to enterprise application. (Works for test http sites.)
  3. Add certificate of new site to ALB with listener rule for that host name to target group to Snipe-IT nodes.
  4. Wire up Kubernetes resources TargetGroupBinding -> Nodeport service -> Deployment/pod
  5. Access site to go through pre-flight setup.
  6. Upload backup file; restore file.
  7. Reload restored site and redirect and authenticate with Microsoft 365.
  8. Get redirected back to (non-existent) http site.
    ...

Expected behavior

Redirected back to Snipe-IT on https.

Screenshots

No response

Snipe-IT Version

v7.0.11 build 15044 (g46ed07642)

Operating System

Ubuntu

Web Server

Apache

PHP Version

8.1.2-1ubuntu2.18

Operating System

Windows 111 23H2

Browser

Firefox

Version

129.0.2

Device

No response

Operating System

No response

Browser

No response

Version

No response

Error messages

No error messages per se. Only a single log entry.

root@snipe-it-595687695-hh5zn:/var/www/html/storage/logs# cat laravel.log
[2024-09-05 16:32:19] production.WARNING: Attempting to restore user: administrator@domain.net

Additional context

No response
@snipe snipe added ❓ not sure if bug This issue has not been confirmed as a bug yet saml labels Sep 5, 2024
@icelava
Copy link
Author

icelava commented Sep 11, 2024
edited
Loading

Extra note that after we migrated our production data to a permanent infrastructure (of the same setup), I did not experience the redirect to http:// but my collleague did and he had to refresh multiple times before it'll redirect properly to https://

Don't know what's behind the inconsistent behaviour.

@stmichaelis
Copy link

Had the exact same problem with a simple Podman, Caddy as Proxy and Keycloak for SSO setup. Version 7.0.12 from yesterday seems to have fixed this. Hope it is not a race condition that reappears.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@uberbrady uberbrady

Labels
❓ not sure if bug This issue has not been confirmed as a bug yet saml
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@uberbrady @snipe @stmichaelis @icelava