Redirection Back to Application URL

[breagan1983]

Hi-

Attempting to make Crowd v2.12.0 (Build:#751) and this plugin work with the current versions of Confluence, JIRA, and BitBucket.

I seem to have this plugin working to the extent that I can:

• Goto Confluence login page with link to crowdUrl/crowd/plugins/servlet/ssocookie?redirectTo=dashboard.action
• That URL responds with a 302 to our IdP generating the SAML request, and giving a 302 to our login page with a jsessionid included in the URL, which I'll call JID#1
• I auth against the IdP sucessfully, which responds with a 302 to crowdUrl/Shibboleth.sso/SAML2/POST
• That POST URL responds with a 302 back to ssocookie?redirectTo=dashboard.action
• That URL then responds with a 301 to ssocookie;jsessionid=JID#2?redirectTo=dashboard.action. Please note this jsessionid is different than the first one; not sure if that makes any difference
• Browser then follows that 301, and get's returned a 404 by Tomcat, with an error of:
  The requested resource is not available

Here's the interesting thing.... I can then go to the confluence URL and I have an active session.

Couple of the causes I can certainly imagine are:

• This plugin states it's not compatible beyond 2.7 or 2.8 due to breaking API changes
• I'm new to Atlassian products and I'm doing my 'redirectTo's wrong.
• Something else?

There's no WARNs or ERRORs listed in atlassian-crowd.log. I'm not also seeing anything in the shib logs.

I'll continue to research this and see if I can make it work. Seems like if I can resolve this issue, I'll have a sucessfull instance of Crowd 2.12.0 & Shibd/NGINX working with latest revisions of the other Atlassian products. Hoping to get this online, and contribute my notes of getting it online for others. Thanks to all for any help you might provide.

[breagan1983]

[erkkiaalto]

IMHO there seems to be a problem only with the redirect URL. We have also had various problems with it. We are using a short PHP script to ensuri it is correct:

$target = $_GET['url'];
$expire = time()+60608;
setcookie("crowd_shib_user","YES",$expire);
$test = stristr($target, "//");
if ($test=="") $target="https://wiki.helsinki.fi".$target;
$target = str_ireplace("http:","https:",$target);
$target = str_ireplace("dashboard.action","",$target);
$target = urlencode($target);
$target = urlencode($target);
header("LOCATION:"."https://crowd.it.helsinki.fi/Shibboleth.sso/HYLogin?target=https://crowd.it.helsinki.fi/crowd/plugins/servlet/ssocookie?redirectTo=$target");

(The cookie is set to show the user has authenticated with Shibboleth, local accounts are also posssible)

[breagan1983]

Hi @erkkiaalto - thanks for the feedback! Couple follow up questions:

• Can you give an example of how you encoded a login link to utilize that PHP script?

For example, mine on Confluence was <a href="https://crowd.domain/crowd/plugins/servlet/ssocookie?redirectTo=targetURL">Login with Shibboleth</a>

Is yours something to the effect of: <a href="https://wiki.helsinki.fi/login.php?url=dashboard.action">Login</a>?

• Is there documentation anywhere on what parameters the ssocookie servlet is expecting? It's strange to me that at times it seems to be successfully processing the requests, e.g. when it initially returns a 302, but then later throws a 404.

• Is there anywhere ssocookie logs error messages? I was checking the atlassian-crowd.log and catalina.out (which I think have the same content anyways), and not seeing anything there.

Again, thanks for your help with this; much appreciated.

[erkkiaalto]

We have in our login.vm

<a href="/loginout/HYcrowdlogin.php?url=$!generalUtil.urlEncode($!os_destination)" id="default_login"><img src="/images/login-hy-idp.gif"></a>

No knowledge about documentation. I think there was a way to get debug info from the ssocookie, but I do not remember anymore, how. Anyway, you had a valid session, didn't you? Then it seems the autheticator is OK and you need onlky to get the redirects right.

[jmleppala]

The 404 seems really suspect as the servlet code itself does not generate a http 404. It might be a case of your redirect parameter being wrong if it is just dashboard.action. If you have Confluence and Crowd running on the same host or behind the same proxy then it might work but only with the proper context path. To be on the safe side you should include the original url in its entirety. As an example if your Confluence instance is located at https://your.domain.com/confluence the correct login url would be https://your.domain.com/crowd/plugins/servlet/ssocookie?redirectTo=https%3A%2F%2Fyour.domain.com%2Fdashboard.action

While the documentation in places might state that the plugin is not compatible 2.7 or 2.8 this is not correct. We have encountered it running on 2.9, 2.10 and 2.11. It's just a consequence of the age old problem of documentation rarely getting updated unless there is a dedicated person to update it.

[breagan1983]

Hi all-

Thanks for the feedback. Unfortunately the issue still persists, despite any and all tweaking of the redirectTo link. Right now, this is the link I'm using:

https://crowd.brms.wisc.edu/crowd/plugins/servlet/ssocookie?redirectTo=https%3A%2F%2Fwiki.brms.wisc.edu%2Fdashboard.action

It's strange, eh? I'm getting a valid session, just the redirect not working. All services running on the same VM. NGINX is handling the SSL offloading, and the shibauth and shibresponder sockets. Just can't seem to find an error or warning in any of the logs.

Anybody have any luck enabling verbose logging for redirect issues?

[jmleppala]

If you set DEBUG level for the net.nordu.crowd.sso package the servlet should output "Redirecting to {your url here}". With your given url it should not be redirecting back to the same servlet though