Bug - Page redirection is broken with SSO

[cisoun]

Hi! This issue is related to a Znuny setup with Apache Mellon as SSO authentication method.

To make it short: when SSO is enabled and an unauthenticated agent wants to access a ticket through its direct link, Znuny redirects to the IDP for the login, then redirects to the homepage instead of the wished ticket.

Here's the breakdown of my situation: https://community.znuny.org/viewtopic.php?t=44275

I've found a solution that I've written at the end.

Environment

• Server OS: Debian GNU/Linux 12 (bookworm)
• Web server: Apache/2.4.62
• Browser: all
• Znuny version: 6.5.11 LTS

Expected behavior

• Agent is unauthenticated and wants to access a ticket (through AgentTicketZoom).
• Znuny redirects the agent to the IDP for the login.
• Agent performs the login successfully.
• Znuny redirects the agent to the ticket page.

Actual behavior

• Znuny rewrites the login URL.
• IDP cannot parse the whole login URL and loses the original RequestedURL parameter that contains the AgentTicketZoom parameter.
• Znuny redirects to the homepage instead.

How to reproduce

Steps to reproduce the behavior:

• Setup SSO with Apache Mellon with the configuration provided on my post mentionned above.
• Try to access a ticket from a direct link to it while being unauthenticated.

Possible solution

I've fixed our setup by changing Kernel/System/Web/InterfaceAgent.pm#L284 by

-                        . "?Reason=LoginFailed&RequestedURL=$Param{RequestedURL}",
+                        . $LayoutObject->LinkEncode("?Reason=LoginFailed&RequestedURL=$Param{RequestedURL}"),

My guess is, if your LoginURL is, let's say, /sso/login?RedirectTo=/otrs/index.pl
and this part adds ?Reason=LoginFailed&RequestedURL=$Param{RequestedURL},
you end up with something like /sso/login?RedirectTo=/otrs/index.pl?Reason=LoginFailed&RequestedURL=ActionTicketZoom&TicketID=10000000 which is not really a valid query.

Instead, the SSO redirection to the SP will return /sso/login?RedirectTo=/otrs/index.pl?Reason=LoginFailed and redirect the agent to the homepage.

So by reencoding the query, we end up with /sso/login?RedirectTo=/otrs/index.pl%3FReason%3DLoginFailed%26RequestedURL%3DActionTicketZoom%26TicketID%3D10000000, then the agent will be redirected to the right page.

[rkaldung]

@cisoun I just tried verifying it with our own setup, and it's working. What is your IdP?

[cisoun]

Hello Roy, thanks for responding. We use Keycloak.

[rkaldung]

Hello Roy, thanks for responding. We use Keycloak.

Same here.
That's our configuration where the redirect is working:

<Location />
    MellonEnable info
    MellonEndpointPath /mellon/
    MellonSPMetadataFile /etc/httpd/xxx.xml
    MellonSPPrivateKeyFile /etc/httpd/xxx.key
    MellonSPCertFile /etc/httpd/xxx.cert
    MellonIdPMetadataFile /etc/httpd/yyy.xml
    MellonMergeEnvVars On
    MellonRedirectDomains [self] *.internal.example.tld *.example.tld
    ErrorDocument 404 /znuny/customer.pl
</Location>
# This is a location that will trigger authentication when requested.
<Location /znuny/index.pl>
    AuthType Mellon
    MellonEnable auth
    Require valid-user
</Location>

Do you have MellonRedirectDomains also configured?