Incorrect behavior of Authentication URL in SSO Setup

book

Article ID: 221680

calendar_today

Updated On:

Products

Clarity PPM On Premise

Issue/Introduction

SUMMARY: When a user who does not have access to clarity or Inactive or locked in Clarity tries to access the application, the Url is getting diverted to Logout Url instead of redirecting to Authentication URL. As in this case the authentication of the user has failed.

Pre-Requisite:

  • Configure a clarity system with SAML 2.0 feature 
  • Update the CSA with Logout URL and Authentication URL and ensure both URL's are different

STEPS TO REPRODUCE: 

  1. Login to Clarity with administrator privilege's 
  2. Create a user and set the status to inactive
  3. Log out and try to login as new user created in step 2 
  4. Since the user status is inactive it should route the user to the Logout URL

Expected Result: Since the user is inactive it should be routed to Authentication URL

Actual Result: Since the user is inactive instead of route to Authentication URL it routed to Logout URL

Cause

This was logged as defect DE62190 however after further discussion with engineering and product management this was designed to ensure that if a user don't exist in clarity or Inactive or Locked it will redirect to Logout URL to ensure circular looping doesn't happen while attempting to reauthenticate. 

Environment

Release : 15.9.2

Component : CLARITY SECURITY INTEGRATION

Resolution

Communicate user to reach to application admin if routed to Authentication URL so that application admin can check further and activate the user in clarity and if user doesn't exist to create a user if the new user needed to access the application.