Identity Awareness Portal with iDP Auth - LoginSequenceView css not "found"

Nüüül — Thu, 30 Jan 2025 11:15:04 GMT

Hello,

I am experiencing some strange behaviour, i am not sure, if this is my fault, or if there is something weird going on.

Situation:

I am currently configuring Identity Awareness Logon Portal on several Firewalls. (In preparation for bigger works)

For a shor period i was able to use the portal. Than i had to test some situations (multiple IDPs, differentiating group claims and so on).

Now is the situation:

User opens portal
gets redirected to Entra ID (if there is only one IDP configured)
User is authenticated and
redirected back to portal
portal shows like screenshot "*-saml.png"
saml trace "*trace.png"

no IDP as Logon Option is been shown.

looking at the /opt/CPNacPortal/logs/error_log messages like

[Wed Jan 29 19:58:34.819790 2025] [php7:notice] [pid 393] [client 10.10.110.101:58049] PHP Notice: Undefined variable: session in /opt/CPSamlPortal/phpincs/spPortal/sso.php on line 177, referer: https://login.microsoftonline.com/
[Wed Jan 29 19:58:34.835536 2025] [php7:notice] [pid 393] [client 10.10.110.101:58049] PHP Notice: Undefined variable: session in /opt/CPSamlPortal/phpincs/spPortal/sso.php on line 196, referer: https://login.microsoftonline.com/
[Wed Jan 29 19:58:36.888463 2025] [php7:notice] [pid 390] [client 10.10.110.101:58051] PHP Notice: Trying to get property 'rc' of non-object in /opt/CPNacPortal/phpincs/web/actions/LoginAction.php on line 54, referer: https://<gateway>/connect/spPortal/ServiceProvider?idpname=idp_<idp>&realm=identity_portal
[Wed Jan 29 19:58:37.434859 2025] [php7:warn] [pid 1980] [client 10.10.110.101:58061] PHP Warning: file_exists(): open_basedir restriction in effect. File(/opt/CPNacPortal/htdocs/nac/../../../phpincs/conf/external_unauthorized_guest_login_conf.php) is not within the allowed path(s): (/opt/CPSamlPortal/phpincs:/opt/CPSamlPortal/htdocs:/opt/CPSamlPortal/phpincs:/opt/CPSamlPortal/htdocs:/opt/CPNacPortal/htdocs/nac:/opt/CPNacPortal/phpincs:/opt/CPNacPortal/logs:/opt/CPNacPortal/htdocs/nac:/opt/CPNacPortal/phpincs:/opt/CPNacPortal/logs) in /opt/CPNacPortal/phpincs/util/Configuration.php on line 32, referer: https://<gateway>/connect/PortalMain
**[Wed Jan 29 19:58:37.887903 2025] [php7:error] [pid 394] [client 10.10.110.101:58073] script '/opt/CPNacPortal/htdocs/nac/css/"LoginSequenceView"' not found or unable to stat, referer: https://<gateway>/connect/PortalMain**
[Wed Jan 29 19:58:38.020337 2025] [php7:warn] [pid 391] [client 10.10.110.101:58082] PHP Warning: file_exists(): open_basedir restriction in effect. File(/opt/CPNacPortal/htdocs/nac/../../../phpincs/conf/external_unauthorized_guest_login_conf.php) is not within the allowed path(s): (/opt/CPSamlPortal/phpincs:/opt/CPSamlPortal/htdocs:/opt/CPSamlPortal/phpincs:/opt/CPSamlPortal/htdocs:/opt/CPNacPortal/htdocs/nac:/opt/CPNacPortal/phpincs:/opt/CPNacPortal/logs:/opt/CPNacPortal/htdocs/nac:/opt/CPNacPortal/phpincs:/opt/CPNacPortal/logs) in /opt/CPNacPortal/phpincs/util/Configuration.php on line 32, referer: https://<gateway>/connect/PortalMain
[Wed Jan 29 19:58:38.039196 2025] [php7:warn] [pid 393] [client 10.10.110.101:58083] PHP Warning: file_exists(): open_basedir restriction in effect. File(/opt/CPNacPortal/htdocs/nac/../../../phpincs/conf/external_unauthorized_guest_login_conf.php) is not within the allowed path(s): (/opt/CPSamlPortal/phpincs:/opt/CPSamlPortal/htdocs:/opt/CPSamlPortal/phpincs:/opt/CPSamlPortal/htdocs:/opt/CPNacPortal/htdocs/nac:/opt/CPNacPortal/phpincs:/opt/CPNacPortal/logs:/opt/CPNacPortal/htdocs/nac:/opt/CPNacPortal/phpincs:/opt/CPNacPortal/logs) in /opt/CPNacPortal/phpincs/util/Configuration.php on line 32, referer: https://<gateway>/connect/PortalMain
[Wed Jan 29 19:58:38.416489 2025] [php7:error] [pid 3591] [client 10.10.110.101:58097] **script '/opt/CPNacPortal/htdocs/nac/css/"LoginSequenceView"'** not found or unable to stat, referer: https://<gateway>/connect/spPortal/IdentityProviders?Realm=identity_portal
[Wed Jan 29 19:58:38.423549 2025] [php7:warn] [pid 1980] [client 10.10.110.101:58093] PHP Warning: file_exists(): open_basedir restriction in effect. File(/opt/CPNacPortal/htdocs/nac/../../../phpincs/conf/external_unauthorized_guest_login_conf.php) is not within the allowed path(s): (/opt/CPSamlPortal/phpincs:/opt/CPSamlPortal/htdocs:/opt/CPSamlPortal/phpincs:/opt/CPSamlPortal/htdocs:/opt/CPNacPortal/htdocs/nac:/opt/CPNacPortal/phpincs:/opt/CPNacPortal/logs:/opt/CPNacPortal/htdocs/nac:/opt/CPNacPortal/phpincs:/opt/CPNacPortal/logs) in /opt/CPNacPortal/phpincs/util/Configuration.php on line 32, referer: https://<gateway>/connect/spPortal/IdentityProviders?Realm=identity_portal
^C

As this is in my lab environment, where some things might have been played along too many times, I set up a new gateway with new management, configured Identity Awareness, set up Identity Provider and SAML Config at entra id. With the same result.

inspecting the web page i get:

404 Status for a file named "LoginSequenceView" (including the ") - what matches with logs above (bold)

Watching the SAML Trace i see the GET request to "https://<gateway>/connect/css/%22LoginSequenceView%22" with saml server response "saml_server_response={"context":"","type":"FAILURE","message":"Login failed. If the problem persists please contact your administrator","opaque":"","nextStateId":""}" as Cookie.

it looks like that "https://<gateway>/connect/PortalMain" is referring to "https://<gateway>/connect/css/%22LoginSequenceView%22" - which than cannot be found. Removing the " at the filename (https://<gateway>/connect/css/LoginSequenceView) the css file is shown correctly.

Tested this with several browsers (private, non private windows, with direct network connect to gateway or via other firewalls and VPNs, MAC and Windows)

Perhaps someone here already did some deeper troubleshooting at all those SAML things and has a tip/hint/condolences?

(TAC is not really an option, as this is running my lab at the moment)

Re: Identity Awareness Portal with iDP Auth - LoginSequenceView css not "found"

Chris_Atkinson — Thu, 30 Jan 2025 14:15:39 GMT

Out of interest have you already tried R81.20 JHF T96?

PRJ-58006,PRHF-37011

Identity Awareness

IDA Captive Portal may not be available after Jumbo Hotfix Accumulator installation or after an upgrade using the Blink image. Refer to sk172324.

Re: Identity Awareness Portal with iDP Auth - LoginSequenceView css not "found"

Nüüül — Thu, 30 Jan 2025 14:21:36 GMT

Hi Chris,

Thank you. Currently running 81.20 T92, will update now and see, what happens.

BUT, had similar problems when running R82 on another gateway. Take10 has been installed but no improvement.

Re: Identity Awareness Portal with iDP Auth - LoginSequenceView css not "found"

Nüüül — Fri, 31 Jan 2025 11:24:21 GMT

Hi @Chris_Atkinson

no improvement. "LoginSequenceView" is still referenced. including the quotes

Re: Identity Awareness Portal with iDP Auth - LoginSequenceView css not "found"

Nüüül — Mon, 03 Feb 2025 09:04:56 GMT

over the time installed a new virtual gateway, including a brand new management. Configured IDP and Identity Awareness to use it. Worked for one session, than the behaviour came up again.

Evidence attached.

As far as i understand, (phpincs/view/html/)PortalMain is the one that is referring to "LoginSequenceView" as css stylesheet.

topic Re: Identity Awareness Portal with iDP Auth - LoginSequenceView css not "found" in Firewall and Security Management

Identity Awareness Portal with iDP Auth - LoginSequenceView css not "found"

Re: Identity Awareness Portal with iDP Auth - LoginSequenceView css not "found"

Re: Identity Awareness Portal with iDP Auth - LoginSequenceView css not "found"

Re: Identity Awareness Portal with iDP Auth - LoginSequenceView css not "found"

Re: Identity Awareness Portal with iDP Auth - LoginSequenceView css not "found"