Authentication of external users imported from LDAP directory causing infinite loop

[kdizdar]

Support case reffering: #05962511

Greetings,

We're experiencing issues when authenticating external users imported from LDAP directory. The issue is, if external user does not exist in user database on the self-service portal, login attempts go to an infinite loop.
I have to note, that this behaviour is not happening on Administration console on the same VEM page (/backup sub-URL is for clients, parent URL is administration console) - on parent URL, you get "Access Denied" message as it should be, while clients get stuck in a loop, causing fail2ban from LDAP connector service (if security requirements have been met)

[23.03.2023 15:06:04] <85> Info Initiating login to https://authproxy.xx.xx/saml2/idp/login
[23.03.2023 15:06:04] <54> Info Successfully processed SAML response Microsoft.IdentityModel.Tokens.Saml2.Saml2Id and authenticated xxxx@xx.xx
[23.03.2023 15:06:04] <54> Info [SAML] Got identity :
[23.03.2023 15:06:04] <54> Info [SAML] Got NameId claim: http://schemas.xmlsoap.org/ws/2005/05/i ... identifier: xxxx@xx.xx
[23.03.2023 15:06:04] <54> Info [SAML] Group claims: xxxx@xx.xx
[23.03.2023 15:06:04] <54> Info Connecting to [localhost:9394] under [current account]. Selfrestore mode: 'off'. Session Uid: 8590f4de-5750-425e-815b-f2944650b9e3
[23.03.2023 15:06:04] <54> Error Failed to create user context from authentication data. Data: [Username: xxxx@xx.xx, SessionId: 8590f4de-5750-425e-815b-f2944650b9e3, SelfRestore: False, AuthType: SamlToken, Credentials: ], IsLogon: [True]
[23.03.2023 15:06:04] <54> Error User 'xxxx@xx.xx' does not have any roles assigned (System.UnauthorizedAccessException)

This error is legit, but error does not return any message to the client and there is the core of the problem.
Posting this because of tracking feature request.

best regards

[HannesK]

Hello,
and welcome to the forums.

Posting this because of tracking feature request.

it looks more like a bug. The way to get rid of this is asking support for a bug number to make sure it gets fixed (as far as I see, the case was escalated some days ago already, so support should finish the job).

Best regards,
Hannes

[kdizdar]

Thanks for a warm welcome message
I got redirected here, so that's why I'm posting and following this...

[HannesK]

okay, I'm talking to support now to get it escalated to R&D

[HannesK]

ah sorry, I just saw that you are on V11. So I can only repeat the suggestion from support to update to the latest V12 version. If it still persists, then we can look at fixing it.

[kdizdar]

Hello Hannes,

#06040273 - issue still persists unfortunately :/
We have upgraded to v12...
Could you please take a look at it?

thanks

[HannesK]

Hello,
that's sad to hear. Yes, I will talk to support. But they need logs. As far as I see, there are no logs in the case.

Best regards,
Hannes