-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
7.13.3, 8.5.4
-
None
-
7.13
-
8
-
Severity 3 - Minor
-
3
-
Issue Summary
We are facing an issue when user have a bookmarked page (JIRA admin pages e.g https://<base-url>/secure/admin/ViewApplicationProperties.jspa) and when they directly try to launch the bookmarked URL we see that there is a redirection between sign-on url and Jira url. This redirection keeps going on in a loop. The only way to come out of it is by closing the browser.
Note: Disable websudo does not solve the loop.
Use Case: Admin users sometimes need to sign in with a non-admin user account for test purposes. Eventually, an admin page may be incorrectly accessed, incurring in a loop solved only when closing the browser.
Steps to Reproduce
- SAML enabled:
- We used Onelogin and SSO 2.0 on Jira
- Jira Internal Directory
- We did create a domain on https://www.onelogin.com/developer-signup
- We set a username matching Jira's username (NameID as Username)
- Bookmark an URL from the admin secure section, for instance the user management at http://<jira base URL>/secure/admin/user/UserBrowser.jspa
- Open a new incognito browser and sign in using a non-admin user
- Copy and Paste the URL bookmarked on 2
Expected Results
- Permission denied error message, landing at the user dashboard page
or - Permission denied error message, landing at the login page with the URL cleaned
Actual Results
- There is a redirection between sign-on url and Jira url. This redirection keeps going on in a loop.
- We can observe the following sequence of URLs:
http://<jira base URL>/login.jsp?permissionViolation=true&os_destination=%2Fsecure%2Fadmin%2Fuser%2FUserBrowser.jspa%3F&page_caps=&user_role=ADMIN http://<jira base URL>/plugins/servlet/sso-logout http://<jira base URL>/login.jsp?permissionViolation=true&os_destination=%2Fsecure%2Fadmin%2Fuser%2FUserBrowser.jspa%3F&page_caps=&user_role=ADMIN
Workaround
- Close the browser to interrupt the loop
- Edit the bookmark, removing the restricted page
- relates to
-
CONFSERVER-79249 SAML Single Sign on URL redirection in loop issue for non-authorized pages
- Gathering Impact