Uploaded image for project: 'Statuspage'
  1. Statuspage
  2. STATUS-328

Admins clicking "View status page" on an SSO-enabled audience-specific page are not sent to their IdP

XMLWordPrintable

    • 4
    • Severity 3 - Minor

      Issue Summary

      Admins for SSO-enabled audience-specific pages are redirected to the /access/login form when clicking "View status page" inside manage.statuspage.io. 

       

      This appears to be related to how /access/login is deciding whether to 302 redirect to the IdP. We were able to toggle this behavior by adding or removing the _spsess cookie in the request. 

      curl --cookie '_spsess=<session_cookie>' https://jessetestaudiencespecificpage.statuspage.io/access/login -v
< HTTP/2 200

      without:

      curl 'https://audiencespecificpage6.statuspage.io/access/login' -v
< HTTP/2 302
< location: <IdP redirect>

      Steps to Reproduce

      1. Have an audience-specific page setup with SSO enabled.
      2. Login to manage.statuspage.io and go to that audience-specific page in manage.
      3. Click view status page.

      Expected Results

      You are redirected to the page's IdP:

      1. https://audiencepage.statuspage.io/ -> 302 redirect to
      2. https://audiencepage.statuspage.io/access/login -> 302 redirect to 
      3. https://my.IdP

      Actual Results

      You are taken to the page-viewer login form and asked for username/password:

      1. https://audiencepage.statuspage.io/ -> 302 redirect to
      2. https://audiencepage.statuspage.io/access/login -> 200

      Workaround

      Access the audience-specific page in an incognito window or without an active session in manage.statuspage.io. 

            Unassigned Unassigned
            rpratt@atlassian.com Robert
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: