If a user cannot access Rally via SSO (but they are on the exception list), when they click on a normal Rally link (not an SSO deep-link), it should take them to rally1.rallydev.com but now it takes them to our Rally specific Authenticate IDP SSO URL. This does not work for the Exception user?
Release : SAAS
Component : API FOR AGILE CENTRAL
When users access a deep link, there is no user information encoded in the link URL. In fact, there shouldn't be, since that could interfere with one user's ability to share a link to a Rally object with another user.
The id of the subscription is inferable from our links, which is how Rally decides how to authenticate an un-logged-in user accessing a deep link. If the sub's authentication policy is Rally-Only, they log in at the Rally login page, and if the policy is SSO-Only, they're directed to their IdP to log in.
The challenge comes with SSO-with-Exceptions mode, where the sub is nominally SSO, but any given user may be a direct-login exception. Without the user's id, there's no way to know whether the user accessing the link (while not logged in) is an exception or not.
The fix here uses a cookie leftover from the previous login on the browser ("_username" cookie) as a hint to try to identify SSO exception users. Doing this should fix the most common cause of this behavior, but if the user accessing the deep link wasn't the last logged-in user on that browser, it can't help.
The possible use-cases are:
Current deep link user | Last user to have logged in on this browser (cookie) | Result |
---|---|---|
SSO user | unknown - no cookie | correctly routed directly to IdP as before |
SSO user | SSO user | correctly routed directly to IdP as before |
SSO user | exception user | routed to Rally login screen, where user has to enter their username (no password) and click login to then be redirected to their IdP (one extra step than before) |
exception user | unknown - no cookie |
incorrectly routed to IdP as before user has to manually visit the login page, authenticate, then re-access the link as before |
exception user | SSO user | incorrectly routed to IdP as before user has to manually visit the login page, authenticate, then re-access the link as before (behavior not fixable for this use-case) |
exception user | exception user | correctly routed to Rally login screen (this is the use-case that's fixed by this change) |
The assumption is that in most cases, the last logged-in user will be the same as the current deep link user on a given browser.