Support

Admin Tools

#27520 Single sign on returns 403

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by wilddogdesign on Thursday, 13 April 2017 03:15 CDT

Wednesday, 12 April 2017 06:06 CDT

wilddogdesign
 Hi
Were are using Mniorange SSO component, and when we login in on joomla site it works, but then when we log out, it returns a 403 error
I was wondering if you have any thoughts as to why this happens. (The IP in the log entry is local, I know, but this happens on any server we have this located on)

Thanks.

Here is the log entry in breaches log:

-------------------------------------------------------------------------------
Blocking reason: dfishield
-------------------------------------------------------------------------------
Date/time : 2017-04-12 10:47:03 GMT
URL : https://colorconcms.wilddogdevelopment.com/?morequest=acs
User : Guest
IP : 192.168.1.1
Country : (unknown country)
Continent : (unknown continent)
UA : Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Hash : post
Variables :
Array
(
[RelayState] => /
[SAMLResponse] => PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHNhbWwycDpMb2dvdXRSZXNwb25zZSBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9jb2xvcmNvbmNtcy53aWxkZG9nZGV2ZWxvcG1lbnQuY29tLz9tb3JlcXVlc3Q9YWNzIiBJRD0ia2xiaW9laG5mZmpkb2ZnZWJtcGFrYW9paWpoYWNjaGhlbWtrbGtlaiIgSW5SZXNwb25zZVRvPSJfNDEwZjU3NGVmMzZjZGFlOGE5NTEyODdjM2E1MWQ2OGFjNjkxNzExN2I3IiBJc3N1ZUluc3RhbnQ9IjIwMTctMDQtMTJUMTA6NDc6MDMuMTcxWiIgVmVyc2lvbj0iMi4wIiB4bWxuczpzYW1sMnA9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpwcm90b2NvbCI+PHNhbWwyOklzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPmNvbG9yY29uPC9zYW1sMjpJc3N1ZXI+PHNhbWwycDpTdGF0dXM+PHNhbWwycDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWwycDpTdGF0dXM+PC9zYW1sMnA6TG9nb3V0UmVzcG9uc2U+
)


Any

Wednesday, 12 April 2017 06:59 CDT

nicholas
The problem is the RelayState variable. It contains a forward slash which is interpreted as a path. Therefore the direct file inclusion protection blocks it.

The easy solution is to disable DFIShield from Admin Tools' Configure WAF page.

The hard solution is to go to Admin Tools, Web Application Firewall, WAF Exceptions and press the green New button in the toolbar. In the new page that appears leave the first two boxes blank and set the Query Parameter box to RelayState then click on Save & Close. This tells Admin Tools to not apply request filtering on the RelayState parameter. You may also need to create yet another exception for the SAMLResponse query parameter in case the problem persists.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Wednesday, 12 April 2017 07:11 CDT

wilddogdesign
Thanks for your reply.

When I try one or both query parameters per your instructions, I get this error then:

0 - Call to a member function getSignatureData() on boolean

Does that point to it is getting past the WAF and now it is a different issue with a different component?

Also get that same error when disabling dfishield altogether.

Wednesday, 12 April 2017 07:51 CDT

nicholas
That message does not come from our software. It seems to be an issue with your Single Sing On solution. Unfortunately I cannot help you with issues in third party software. Sorry.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Thursday, 13 April 2017 03:15 CDT

wilddogdesign
No worries, thanks for your replies that confirmed what we needed to test, and glad to rule out admin tools as the problem.
Best

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!