Resolution: Won't Fix
Affects Version/s: 7.0.0 DXP FP17, 7.0.X, Master
Fix Version/s: None
Component/s: Application Security > Token SSO
Steps to reproduce:
- Enable Token Based SSO, switch "Token Location" to COOKIE
- Run from cmd: curl -i 'localhost:8080/?redirect=/sm_test' -H 'Cookie: SM_USERfirstname.lastname@example.org;'
- Run from cmd: curl -i 'localhost:8080/?redirect=/sm_test' -H 'Cookie: SM_USER=test;'
Expected result: one of the requests should succeed (HTTP 302 redirect)
Actual result: Two error messages in logs
Workaround: Set authentication mode to Screen Name instead of Email Address (Control Panel -> Configuration -> Instance Settings -> Authentication -> General)
Token-based SSO works with Request Header token but not with Cookie token.
Steps to reproduce
- Prepare an Apache environment (in my case a win7 virtual machine)
- Set in "hosts" file the proper IP and name for your host computer
- Add the following configuration in Apache's "httpd.conf"
- Start Apache
- In host computer, set in "hosts" file the IP and domain for your apache
- Prepare a clean DXP bundle
- Set the following "portal-ext.properties"
- Start the bundle
- Sign in with onmiadmin user
- Go to Control Panel > Configuration > System Settings > search for "SSO" > Token Based SSO
- Make sure Token Location is set to REQUEST HEADER
- Click on Enable and Save
- Sign Out
- Note that your're auto signed in because Apache is feeding SM_USER token in request header and Token Based SSO is picking it up
- Go to Token Based SSO again
- Change Token Location to Cookie and Save
- Sign out
- Note that you're successfully signed out
- In Apache's configuration, comment out RequestHeader and add a cookie token header
- Restart Apache
- Go back to the browser and reload the home page
- Note that we're not auto-signed in!
- With "Inspector", "Firebug" etc check that SM_USER cookie exist and has admin's email address
Cookie-based authentication is not picking up token and singing user in
Cookie-based authentication picks cookie and user is auto-signed in