SAMLOfflineSigninTimeLimit Policy: not always prompted to do an external authenticated login, even if it's been over 24 hours since the last online authentication. |
||||||||
Issue descriptionChromeOS version: 67.0.3396.99 (the customer has confirmed that it can be reproduced the issue with Beta and developer mode. ) (Locally tested:67.0.3396.99 , 64.0.3282.190) ChromeOS device model: eve (Local test device:Swanky, veyron-minnie, Case#: 16446765 Description: SAMLOfflineSigninTimeLimit Policy: not always prompted to do an external authenticated login, even if it's been over 24 hours since the last online authentication. User information and local test info. https://drive.google.com/open?id=1NvXmWKL_IPjdq9RG7reC3UF1LJKRzL8cCHBmeJFsvxY Steps to reproduce: -The customer reported. SAMLOfflineSigninTimeLimit Policy is set to 24 hours. 0. Perform an authenticated sign-in and use chromebook normally. Do not shut down. Instead put to sleep. 1. After 24 hours have elapsed, wake the chromebook from sleep and sign-in (no online auth required since the user is still signed-in) 2. After signing-in, click user icon on the shelf -> Shut down 3. Wait approx. 15 seconds and turn the computer back on 4. At the login page, notice that the 'Sign Out' button is not there, indicating that the user is signed-out. However, online auth is not being required and the user can sign-in normally. 5. After signing-in, immediately shut-down the machine again 6. Wait approx. 15 seconds again and turn the computer back on 7. This time, online auth is now required. 8. In short, it seems that an immediate shutdown after wake from sleep doesn't enforce the policy but a subsequent shutdown does. Lastly, is there a chrome:// page that we could check to verify when the last time an authenticated sign-in occurred on a machine was? Current Behavior / Reproduction: the online sign-in window does not appear after comes back from the sleep mode & initial reboot even if it's been over 24 hours since the last online authentication. Expected Behavior: the online sign-in window should always appear after retune back from sleep mode & initial reboot after the sleep mode if it's been over 24 hours since the last online authentication. Drive link to logs: Version info:https://drive.google.com/open?id=1GPW9-va1SEGmTUuRob9B3wPN2cJElLTQ Additional info from the customer. 1) When using the sing out, the behavior works as expected. they are required to authenticate. 2) Customer has shared the following videos 2.1) When shutting down, This was reproduced at 2:22pm PDT 07/31/2018. https://drive.google.com/open?id=1LbFcVrHcIA3Yuj5XcOGl0SVfKLhnXHJQ 2.2) when signing out instead (working as expected)***This was reproduced on 8/2/2018 at 4:34 pm PDT https://drive.google.com/open?id=1zWBcQZ_0gTMl-ZoVzKKOHc_C7nwDg4SJ 2.3) workaround to bypass the authentication. https://drive.google.com/file/d/1JFA3SLxgNLEAZbupqXCR8RR2y14SWxbO/view 3) debug logs collected. https://drive.google.com/open?id=1NARf1IFqyavh2emDmGmLx8X-gtMawVWs
,
Aug 8
bhthompson@ Could please triage this case?
,
Aug 8
This sounds like it might fall under the enterprise team's expertise.
,
Aug 13
,
Dec 12
,
Dec 14
Hello! This bug is receiving this notice because there has been no acknowledgment of its existence in quite a bit of time - If you are currently working on this bug, please provide an update. - If you are currently affected by this bug, please update with your current symptoms and relevant logs. If there has been no updates provided by EOD Wednesday, 12/19/18 (5pm EST), this bug will be archived and can be re-opened at any time deemed necessary. Thank you!
,
Dec 17
Denis, could you please take a look at this during our bug bash or PE work?
,
Dec 21
It looks like timer in saml_offline_signin_limiter is not firing after waking up from suspend. Fix would be to listen for wake up (using base/power_monitor/power_monitor.h) in saml_offline_signin_limiter (this would also cover default 14 days value check even if policy is not set). We should probably also introduce more general solution that would prevent similar errors in other timer-based restrictions. First option is a good task for noogler.
,
Jan 8
|
||||||||
►
Sign in to add a comment |
||||||||
Comment 1 by ryutas@chromium.org
, Aug 6