- π³π±Netherlands tvoesenek
This is a re-roll of #4, based on π Automated Drupal 10 compatibility fixes Needs review
- π³π±Netherlands johan_vm Tilburg
This is a re-roll of #5, based on 2.0.0-rc1
- πΊπΈUnited States rex.barkdoll
I'm on the 1.4 version of the module on D9, preparing for an upgrade to D10. I've applied the latest patch (#6) the previous ones wouldn't apply.
When I complete the TFA verification, the SAML request does not return me to the SP, it leaves me on the IDP's home page.
Is there a way to complete the SAML loop and return to the SP with the proper credentials?
I'm also noticing that after I've logged in, when I go to the SP again, it hasn't received the credentials and I have to click on the login link again to authenticate. Since I'm already logged in, it works - but it's a little annoying to go through that twice.
SOOOOO much appreciation for all the hard work that's gone into this module.
Also, if people aren't experiencing this same breakage in the 2.x version, I'm happy to upgrade to D10 and retest then.
- π³πΏNew Zealand RoSk0 Wellington
Thanks for the effort Team!
I've took the patch from #6 and modified it a bit. The most important change is that redirect to the service provider after login and TFA entry now works.
Updated code is in the https://git.drupalcode.org/project/drupalauth4ssp/-/merge_requests/10 merge request. For convenience attaching the patch with the changes here is well.
This was tested on D10.3, PHP 8.1 and Apache.
I would really appreciate if people can test the patch on their set ups as that would give better coverage, and provide feedback here sooner rather than later.
- Assigned to RoSk0
- Status changed to Needs work
6 months ago 2:07am 9 July 2024 - π³πΏNew Zealand RoSk0 Wellington
There is still some work to be done here to properly support TFA - it already works fine when set up fully , including users, but during the rollout there will be time when users are already enforced to have TFA, but haven't set that up yet. During this period, if they are allowed to skip TFA, they will , until allowed number of times to skip is used.
Looking into how to support both, normal and rollout periods.
- Issue was unassigned.
- Status changed to Needs review
6 months ago 5:39am 10 July 2024 - π³πΏNew Zealand RoSk0 Wellington
Updated the merge request to support rollout scenarios. Following are test cases I used:
## Test cases ### IDP first - [x] TFA not required and not set up - [x] registration - [x] log in - [x] TFA not required and set up - logged in using TFA - [x] TFA required and not set up - [x] password reset - [x] log in - [x] TFA required and set up - logged in using TFA ### SP first - [x] TFA not required and not set up on SP1 - [x] TFA not required and set up - logged in using TFA on SP2 - [x] TFA required and not set up - logged in on SP1 and redirect to TFA setup as only one skip was allowed, saw `Your login in flow was interrupted to set up TFA` message. Set up TFA, clicked the link and landed on the SP1 - [x] TFA required and set up - logged in using TFA
- π³πΏNew Zealand RoSk0 Wellington
Found a problem with a fallback redirect. Raised a core issue π Using LocalRedirectResponse with "" URL in controller results in LogicException Active for it.
Updated merge request https://git.drupalcode.org/project/drupalauth4ssp/-/merge_requests/10 and attaching new patch.
- π³πΏNew Zealand RoSk0 Wellington
Addressing feedback after initial user testing:
- showing message allowing a user to return to the service provide only after TFA was set up
- improving wording
- clean up session after TFA entry
Attaching patch form the latest version of the merge request https://git.drupalcode.org/project/drupalauth4ssp/-/merge_requests/10 .
- π³πΏNew Zealand RoSk0 Wellington
Previous patch version fails to apply for some reason...
Attaching the patch from the same commit, but with code only changes.