-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
4
-
Severity 3 - Minor
Issue Summary
Admins for SSO-enabled audience-specific pages are redirected to the /access/login form when clicking "View status page" inside manage.statuspage.io.
This appears to be related to how /access/login is deciding whether to 302 redirect to the IdP. We were able to toggle this behavior by adding or removing the _spsess cookie in the request.
curl --cookie '_spsess=<session_cookie>' https://jessetestaudiencespecificpage.statuspage.io/access/login -v < HTTP/2 200
without:
curl 'https://audiencespecificpage6.statuspage.io/access/login' -v
< HTTP/2 302
< location: <IdP redirect>
Steps to Reproduce
- Have an audience-specific page setup with SSO enabled.
- Login to manage.statuspage.io and go to that audience-specific page in manage.
- Click view status page.
Expected Results
You are redirected to the page's IdP:
- https://audiencepage.statuspage.io/ -> 302 redirect to
- https://audiencepage.statuspage.io/access/login -> 302 redirect to
- https://my.IdP
Actual Results
You are taken to the page-viewer login form and asked for username/password:
- https://audiencepage.statuspage.io/ -> 302 redirect to
- https://audiencepage.statuspage.io/access/login -> 200
Workaround
Access the audience-specific page in an incognito window or without an active session in manage.statuspage.io.
- is blocked by
-
SPSP-25448 Loading...
- relates to
-
STSPG-10788 Loading...
-
STSPG-10812 Loading...