Hello support. I tried to configure Identity Server 5.4.1.* (I tried versions 5.4.1 update 1, 2 or 3), but mostly I cannot login to protected pages. 9 of 10 tests fail, 1 test passes OK. Our pages are protected by Shibboleth SP. When we use WSO2 IS 5.3.0 with updates from 10/2017 everything worked OK. I tried also 5.4.0 update 6 and there were the same problems, although not too often. After some tests I found out that the problem is only with MS IE 11 (I didn't test older MS IE versions). With the latest versions of Firefox, Opera and Chrome login works fine against 5.4.1.3 (I assume that also with other 5.4.* version). During the tests my SP configuration wasn't changed. As a policy enforcement point we use Shibboleth SP 2.6.1 (Centos 7.3) and its configuration has been stable for several months (with IS 5.3.0).
Both 5.4.* versions show very strange behaviour when tested with MS IE 11: I see in Fiddler proxy that my username/password is sent twice to the WSO2 IS server. Both HTTP responses have status = 200, both contain SAMLResponse in the body, both Response.Status = Success, but the 1st response contains AttributeStatement with all attributes which I defined in SP-Claims screen. The 2nd response doesn't contain any AttributeStatement. Only the 2nd SAMLResponse (the worse one), without attributes, is sent by my browser to the SP. When some Claims are mandatory, the second response is considered as incomplete and the user is redirected to https:///WSO2IS-hostname/authenticationendpoint/claims.do?missingClaims<https://WSO2IS-hostname/authenticationendpoint/claims.do?missingClaims>=.... After submitting the form with missing claims there is NullPointerException in the wso2carbon.log, but it is only follow-up problem. The primary problem is, that the login form (in login screen) is submitted twice for MS IE 11. It looks like there are two listeners registered to the onClick event of HTML element "button" (or something similar). But I am not Javascript expert. I found at your page https://docs.wso2.com/display/compatibility/Tested+Web+Browsers that MS IE is not between tested browsers for WSO2 IS 5.4.0. But I think that it is still one of the most used browsers and you could solve this problem. I found workarround for MS IE (and Edge). I updated ${CARBON_HOME}/repository/deployment/server/webapps/authenticationendpoint/basicauth.jsp: javascript function submitCredentials(): Before change: function submitCredentials () { var userName = document.getElementById("username"); userName.value = userName.value.trim(); if(userName.value){ document.getElementById("loginForm").submit(); } } After change: function submitCredentials (event) { var userName = document.getElementById("username"); userName.value = userName.value.trim(); if(userName.value){ document.getElementById("submitbtn").disabled = true; var ua = window.navigator.userAgent; var ms_ie = ua.indexOf('MSIE '); var ms_ie_trident = ua.indexOf('Trident/'); var ms_edge = ua.indexOf('Edge/'); if ( (ms_ie > -1) || (ms_ie_trident > -1) || (ms_edge > -1) ) { event.preventDefault(); } document.getElementById("loginForm").submit(); } } I also added attributes name and id to element button: <button name="submitbtn" id="submitbtn"... Avoid using id="submit" for element button. Chrome had some problem with it - disabling element button by document.getElementById("submit").disabled = true; completely disabled also form submitting function. But I have doubts about whether it is right solution. Best regards, Roman Chrenko
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev