Cannot signin to Chrome browser with 3rd party SSO + IdP |
|||||
Issue descriptionVersion: 50.0.2661.102 and 51.0.2704.106 Device OS: Windows 7 Pro 64 bit / 32 bit (tested on 2 devices, issue reproduced on both) Affected user: All users except super admin Affected device: All devices [Issue description] Enterprise customer who has configured to use the 3rd party SSO and IdP cannot sign-in to Chrome browser. Customer noticed that recently, since they hadn't logged in to the browser. They can use Google Apps services (e.g. Gmail) with their corp credentials, so I believe they have configured SSO and IdP properly. [Expected Behavior] Being able to login to Chrome browser. [Actual Behavior] All users (except super admin) cannot login to Chrome browser using SSO + IdP (i.e. Bookmarks are not synced, Sign in to Chrome button still available in the Settings) ***Troubleshoot already taken*** - Disable [Admin console] > [Security] > [Setup SSO with third party identity provider] > [Use a domain specific issuer] - [Workaround #1] Use chrome://chrome-signin page. ( crbug.com/571001#c7 ) - [Workaround #2] Disable "Enable new gaia password-separated sign in flow" feature under Chrome://flags. ( crbug.com/571001#c42 ) => The workarounds did not work. ***Other similar bugs*** 1) crbug.com/571001 - Chrome Sync Authentication [Same] As same as crbug.com/571001 , this issue has 302 redirection and it would cause that the SAMLRequest data is getting lost. [Difference] There are 2 workarounds doesn't work for this issue, but crbug.com/571001 can be resolved by using chrome://chrome-signin. 2) crbug.com/624042 [Same] SSO issue [Difference] This issue doesn't show any error mesages, but crbug.com/624042 shows "One moment please" error. The 2 workarounds (same as above) are not working for this issue. [Repro Steps #1 (Using chrome://chrome-signin)] 1. Opened Chrome browser and accessed chrome://net-internals. 2. Opened a new tab and accessed chrome://chrome-signin. 3. Tried logging in, sees the SSO login page. => No error message was shown. 4. Customer confirmed that they can access Google Apps (e.g. Gmail). => Since they didn't clear the caches before step #3, so I'm not sure whether they were using caches to login Apps. 5. Customer then accesses chrome://settings and still sees "Sign in to Chrome" button, that is, they don't logged in to Chrome. [Repro Steps #2 (Sign-in to Chrome button)] 1. Opened settings page from the 3 horizontal bars 2. Tried logging in with "Sign-in to Chrome" button. 3. Tried logging in, sees the SSO login page. => No error message was shown. 4. Customer confirmed that they can access Google Apps (e.g. Gmail). => Since they didn't clear the caches before step #3, so I'm not sure whether they were using caches to login Apps. 5. Customer then accesses chrome://settings and still sees "Sign in to Chrome" button, that is, they don't logged in to Chrome. [Log files] net-internals-log chrome://chrome-signin (Repro Step #1) https://drive.google.com/a/google.com/file/d/0B8hJbBKk0-c4ZU9vb01KNmNGVlE/view?usp=sharing net-internals-log "Sign-in to Chrome" (Repro Step #2) https://drive.google.com/a/google.com/file/d/0B8hJbBKk0-c4ZDUycnQxc0dhMUE/view?usp=sharing
,
Jul 27 2016
,
Jul 27 2016
,
Jul 28 2016
This customer fails in SSO login to chrome://chrome-signin because RelayState is changed while communicating with IdP server. I couldn't confirm who exactly changed RelayState since the net-internals log doesn't include HTTPS request/response body, but it is usually IdP provider. Please ask customer to: 1) Contact IdP provider for further investigation (ex. check whether they have RelayState hard-coded to specific URLs), or 2) Capture net-internals while trying to login from chrome://chrome-signin again, but this time make sure to enable "Include the actual bytes sent/received" at start and uncheck "Strip private information (cookies and credentials)" when saving to file.
,
Aug 18 2016
We experience the same issue. I disabled "Enable new gaia password-separated sign in flow" and our users could sign in successfully.
,
Aug 19 2016
Re: #c5, if your issue was resolved after disabling chrome://flags/#enable-password-separated-signin-flow, then it is likely to be crbug.com/571001 or crbug.com/624042. Good news is that those issues were marked as Fix today! I am marking this crbug as WontFix, as I believe the issue is on IdP side.
,
Aug 19 2016
No worries. I maintain our IdP, what is the likely cause of issues with Gaia? Is it the RelayState (I don't believe we hard code any URLs), or 302 redirects, or something else entirely? Ideally I'd like to resolve the issue for our users in the current stable version of Chrome rather than wait for 8f967126b576d07d939c4e6ef390b328fb95b869 to make its way to stable.
,
Aug 19 2016
Unfortunately your users would need to wait for the fix in Chrome. This issue is a completely different issue from crbug.com/571001 and crbug.com/624042. crbug.com/631924 (This): - Issue with RelayState returned by IdP - Disabling chrome://flags/#enable-password-separated-signin-flow does not work crbug.com/571001 & crbug.com/624042: - Issue with Chrome signin flow - Disabling chrome://flags/#enable-password-separated-signin-flow solves issue - Marked as fixed today, will be merged to Stable soon |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by soushi@chromium.org
, Jul 27 2016