[webapp-container] Google Apps For Business support when using an external SSO provider

Bug #1302780 reported by David Barth
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
webbrowser-app
Fix Released
High
Alberto Mardegan
webbrowser-app (Ubuntu)
Trusty
Fix Released
High
Unassigned

Bug Description

[Impact]

When using an SSD provider and Google Apps For Business, the URL containment prevents the login sequence to succeed. The navigation is redirected to an external browser and the user can never log in from within the webapp itself.

[Testcase]
- Open the Gmail webapp (look for Gmail in the Dash, then click on the application launcher)
- At the Google login prompt, authenticate with your Google Apps for Businness acccount: <email address hidden>

Expected result:
- You authenticate successfully and can access Gmail
Actual result:
- As soon as you validate your login, you are redirected to the default browser where the transaction finishes, and are then logged to Gmail, from within your browser; not inside the webapp itself

[Regression potential]

None, the issue itself is a regression compared to the previous releases where the browser was used as the webapp container and was sharing credentials in a way sufficient to allow a successful authentication with Google Apps for Business.

Related branches

David Barth (dbarth)
Changed in webbrowser-app:
importance: Undecided → High
status: New → Confirmed
tags: added: webapps-hotlist
Revision history for this message
David Barth (dbarth) wrote :

We have released a solution for that particular case.

All Google Apps webapps have been patched to support their "Business" version almost transparently, except when using an external SSO provider.

In that case, users need to manually add the URL of that specific SSO provider to a configuration file, to authorize it within the webapp-container

For example, to authorize Gmail to verify your password using login.mycompany.com, you need to create the file ~/.local/share/Gmailmailgooglecom/extra-url-patterns.conf:
[Extra Patterns]
Patterns=https://login.mycompany.com/*

On the phone, the name of the file is: ~/.local/share/com.ubuntu.developer.webapps.webapp-gmail/extra-url-patterns.conf

summary: - [webapp-container] SSO for Google Apps for Your Domain break when the
- URL containment is in effect
+ [webapp-container] Google Apps For Business support when using an
+ external SSO provider
description: updated
Revision history for this message
Pat McGowan (pat-mcgowan) wrote :

Rather than adding a config file, we should try to detect the SAML SSO request and allow it.
See https://developers.google.com/google-apps/sso/saml_reference_implementation

Revision history for this message
Alberto Mardegan (mardy) wrote :

According to section 5.1.2 in https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf, the request takes places as an HTTP redirect and the target URL will contain a variable named "SAMLRequest".
The webapp container could detect this scenario and let it through.

Revision history for this message
David Barth (dbarth) wrote :

Yup, agreed. It is a good next step to a more transparent support of domain logins.

Until this lands in an update the configuration option above is the recommended solution for 14.04 users.

Changed in webbrowser-app:
assignee: nobody → Alberto Mardegan (mardy)
Revision history for this message
David Barth (dbarth) wrote :

Landing Alberto's branch to make the domain login more transparent.

description: updated
David Barth (dbarth)
Changed in webbrowser-app (Ubuntu Trusty):
importance: Undecided → High
status: New → Fix Committed
Changed in webbrowser-app:
status: Confirmed → Fix Committed
Changed in webbrowser-app (Ubuntu Trusty):
milestone: none → trusty-updates
Revision history for this message
Colin Watson (cjwatson) wrote : Please test proposed package

Hello David, or anyone else affected,

Accepted webbrowser-app into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/webbrowser-app/0.23+14.04.20140428-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Revision history for this message
David Barth (dbarth) wrote :

I have been using that package for a few weeks and can attest it fixes the problem and doesn't introduce any visible regression.

Revision history for this message
Timo Jyrinki (timo-jyrinki) wrote :

Added tag 'verification-done' based on David's comment.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webbrowser-app - 0.23+14.04.20140428-0ubuntu1

---------------
webbrowser-app (0.23+14.04.20140428-0ubuntu1) trusty; urgency=low

  [ CI bot ]
  * Resync trunk

  [ Alberto Mardegan ]
  * Webapps: let SAML requests through SAML requests are used for
    instance by Google Apps for your domain; they are implemented as a
    HTTP redirect to a URL containing the query parameter called
    "SAMLRequest". Besides letting the request through, we must also add
    the SAML domain to the list of the allowed hosts. (LP: #1302780)

  [ Ubuntu daily release ]
  * New rebuild forced
 -- Ubuntu daily release <email address hidden> Mon, 28 Apr 2014 07:53:21 +0000

Changed in webbrowser-app (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Colin Watson (cjwatson) wrote : Update Released

The verification of the Stable Release Update for webbrowser-app has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

David Barth (dbarth)
Changed in webbrowser-app:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.