[Bug 23930] New: No permissions SSO login to staff client should redirect to a custom URL
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23930 Bug ID: 23930 Summary: No permissions SSO login to staff client should redirect to a custom URL Change sponsored?: Sponsored Product: Koha Version: 17.11 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Authentication Assignee: alexbuckley@catalyst.net.nz Reporter: alexbuckley@catalyst.net.nz QA Contact: testopia@bugs.koha-community.org CC: dpavlin@rot13.org Presently if a patron tries to login to the staff client and they have insufficient permissions they are re-directed back to the Koha login page with the message: 'Error: You do not have permissions to access this page'. This is fine when the staff client authentication is the native Koha login, but when you have a SSO implemented then logging in via the Koha login page and then being re-directed to a native koha login form does not make sense. We'd like to implement a syspref InsufficientPermissionRedirectURL which the staff client re-directs to if the authenticating patron does not have permission to view the staff client. -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23930 --- Comment #1 from Alex Buckley <alexbuckley@catalyst.net.nz> --- Created attachment 94894 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=94894&action=edit Bug 23930: Implemented syspref where you can configure URL re-directed to whena patron with insufficient permissions tries to login to the staff client Sponsored-by: Waikato Institute of Technology, New Zealand -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23930 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |katrin.fischer@bsz-bw.de Version|17.11 |master --- Comment #2 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Hi Alex, should this be updated (has a patch, but is Assigned) -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23930 Alex Buckley <alexbuckley@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #3 from Alex Buckley <alexbuckley@catalyst.net.nz> --- Hi Katrin, Thanks for noting that. I am not happy with my initial patchfix for this so am going to remove it and start again on a fix for this. Thanks, Alex -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23930 Alex Buckley <alexbuckley@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #94894|0 |1 is obsolete| | -- You are receiving this mail because: You are watching all bug changes.
From the OPAC side, I have a OpenID Connect client for Koha (which one of these days I'll find time to upstream). If I already have a session with the Identity Provider and I click on a Koha link, it'll prompt me to log in, I'll choose my Identity Provider from the login options for Koha, it'll bounce me to the IdP,
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23930 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dcook@prosentient.com.au --- Comment #4 from David Cook <dcook@prosentient.com.au> --- I'm not sure that I understand this one. What SSO are you targeting and what scenario? then bounce me back. If I don't have authorization/permission, I'd expect to see my original Koha page saying that I'm not authorized. I could see it being an issue if it re-directed me to a login page though, as I'd already be authenticated just not authorized... ...which is where I'm getting lost with your description. You're saying the patron has been authenticated but they're not authorized to be in the staff client, so they're being re-directed to the Koha login page instead of whatever page they were trying to access? I take it that you want to redirect the patron back to the page they were on before they navigated to Koha? What kind of SSO is this? I'm guessing the redirection to the IdP must be automatic and not require the user to click on something on the Koha staff client login side? -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=23930 Alex Buckley <alexbuckley@catalyst.net.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|ASSIGNED |RESOLVED --- Comment #5 from Alex Buckley <alexbuckley@catalyst.net.nz> --- Hi David(In reply to David Cook from comment #4)
I'm not sure that I understand this one.
What SSO are you targeting and what scenario?
From the OPAC side, I have a OpenID Connect client for Koha (which one of these days I'll find time to upstream). If I already have a session with the Identity Provider and I click on a Koha link, it'll prompt me to log in, I'll choose my Identity Provider from the login options for Koha, it'll bounce me to the IdP, then bounce me back. If I don't have authorization/permission, I'd expect to see my original Koha page saying that I'm not authorized.
I could see it being an issue if it re-directed me to a login page though, as I'd already be authenticated just not authorized...
...which is where I'm getting lost with your description.
You're saying the patron has been authenticated but they're not authorized to be in the staff client, so they're being re-directed to the Koha login page instead of whatever page they were trying to access?
I take it that you want to redirect the patron back to the page they were on before they navigated to Koha?
What kind of SSO is this? I'm guessing the redirection to the IdP must be automatic and not require the user to click on something on the Koha staff client login side?
Hi David, We were using Mod_mellon and SAML, and yes once the user had been authenticated they were automatically re-directed to the Koha login page instead of whatever page they were trying to access. However, we've since shifted to using Shibboleth for implementing SSO so I think we can now close this bug report, as it is no longer redundant. Thanks, Alex -- You are receiving this mail because: You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org