search

SafeExamBrowser / seb-mac

Safe Exam Browser for macOS and iOS
https://www.safeexambrowser.org/macosx
100 stars 40 forks source link

SEB: macOS, cannot continue to Moodle page after SWITCH edu-ID Login #340

Closed bsdooby closed 10 months ago

bsdooby commented 10 months ago

SEB 3.3 (1487D) on macOS 14.1.1 (M1) cannot redirect or connect to auth. Moodle instance (Bern University of Applied Sciences). We are using a template config.seb file for this...

expected: continue to the Moodle instance and/or exam page.

observed: on macOS, the SWITCH edu-ID auth. screen is displayed: entering valid credentials then tries to redirect to the Moodle instance, but a blank (white) screen appears.

solutions/workaround: on Windows, the same config.seb works.

brunobaudry commented 10 months ago

Additional observation on this issue :

MacOs 14.1 SafeBrowser v3.3

1) Launching safebrowser by double clicking on the *.seb config file

1.A) .seb config with url filtering (see below)

Moodle logon page opens,

1.A.1 Using tier Authentication and Authorization Infrastructure (Switch's Shibboleth)

1.A.2 using simple authentification (Username password)

1.B) simple .seb config file (no url filtering)

Moodle logon page opens,

1.B.1) using simple authentification (Username password)

1.B.2) Using tier Authentication and Authorization Infrastructure (Switch's Shibboleth)

Tier auth logon pages opens,

2) Launching SafeBrowser by double clicking Moodle's quiz "Launch SafeBrowser" deeplink button (sebs://url.to.the.config.file)

.seb config is with url filtering (see below)

Moodle logon page opens, Using tier Authentication and Authorization Infrastructure (Switch's Shibboleth):

config file :

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>showTaskBar</key>
        <true/>
        <key>allowWlan</key>
        <false/>
        <key>showReloadButton</key>
        <true/>
        <key>showTime</key>
        <true/>
        <key>showInputLanguage</key>
        <true/>
        <key>allowQuit</key>
        <true/>
        <key>quitURLConfirm</key>
        <true/>
        <key>audioControlEnabled</key>
        <false/>
        <key>audioMute</key>
        <false/>
        <key>allowSpellCheck</key>
        <false/>
        <key>browserWindowAllowReload</key>
        <true/>
        <key>URLFilterEnable</key>
        <true/>
        <key>URLFilterEnableContentFilter</key>
        <false/>
        <key>URLFilterRules</key>
        <array>
            <dict>
                <key>action</key>
                <integer>1</integer>
                <key>active</key>
                <true/>
                <key>expression</key>
                <string>https://wayf.switch.ch/SWITCHaai/*</string>
                <key>regex</key>
                <false/>
            </dict>
            <dict>
                <key>action</key>
                <integer>1</integer>
                <key>active</key>
                <true/>
                <key>expression</key>
                <string>https://bfh.login.eduid.ch/idp/profile/SAML2/Redirect/*</string>
                <key>regex</key>
                <false/>
            </dict>
            <dict>
                <key>action</key>
                <integer>1</integer>
                <key>active</key>
                <true/>
                <key>expression</key>
                <string>https://moodle.bfh.ch/mod/quiz/*</string>
                <key>regex</key>
                <false/>
            </dict>
            <dict>
                <key>action</key>
                <integer>1</integer>
                <key>active</key>
                <true/>
                <key>expression</key>
                <string>https://moodle.bfh.ch/local/bfh_dual_login/index.php*</string>
                <key>regex</key>
                <false/>
            </dict>
            <dict>
                <key>action</key>
                <integer>1</integer>
                <key>active</key>
                <true/>
                <key>expression</key>
                <string>https://moodle.bfh.ch/login/index.php</string>
                <key>regex</key>
                <false/>
            </dict>
            <dict>
                <key>action</key>
                <integer>1</integer>
                <key>active</key>
                <true/>
                <key>expression</key>
                <string>https://moodle.bfh.ch/Shibboleth.sso*</string>
                <key>regex</key>
                <false/>
            </dict>
            <dict>
                <key>action</key>
                <integer>1</integer>
                <key>active</key>
                <true/>
                <key>expression</key>
                <string>https://login.eduid.ch/idp/profile/SAML2/Redirect/SSO*</string>
                <key>regex</key>
                <false/>
            </dict>
            <dict>
                <key>action</key>
                <integer>1</integer>
                <key>active</key>
                <true/>
                <key>expression</key>
                <string>https://moodle.bfh.ch/auth/shibboleth*</string>
                <key>regex</key>
                <false/>
            </dict>
        </array>
        <key>startURL</key>
        <string>https://moodle.bfh.ch/mod/quiz/view.php?id=2083284</string>
        <key>sendBrowserExamKey</key>
        <true/>
        <key>examSessionClearCookiesOnStart</key>
        <false/>
        <key>allowPreferencesWindow</key>
        <false/>
        <key>hashedQuitPassword</key>
        <string>8577da2ea54085708b3b851bc50315a36bb740ba5135e747cfb12457b5d3060f</string>
        <key>browserWindowWebView</key>
        <integer>3</integer>
    </dict>
</plist>

Hope that helps.

danschlet commented 10 months ago

Does it work without URL filtering?

If yes, then you need to update your URL filters.

brunobaudry commented 10 months ago

Hi @danschlet thanks for your feedback, Could you enlgiht us how/what should be changed (as the URL filtering works fine when launched from windows OS) ?

Cheers Bruno

danschlet commented 10 months ago

As a reminder: If you use URL filtering and some SEB config doesn't work which works without URL filtering:

brunobaudry commented 10 months ago

thanks a lot will try that.

danschlet commented 10 months ago

And in general:

In general URL filter rules should by compatible between SEB for Windows and macOS. BUT the browser engines are not the same, and it's very much possible that a browser engine difference can cause an incompatibility. Also SEB for macOS and iOS can use two different versions of the WebKit browser engine for backwards compatibly. This depends on used SEB settings (or Moodle version if you're using the built-in Moodle SEB integration). The old classic WebView might not work at all with some modern websites/web applications.

brunobaudry commented 10 months ago

There you go

[logs removed]

brunobaudry commented 10 months ago

Found: 2023/11/17 10:15:30:626 Started application with bundle ID: com.apple.WebKit.WebContent 2023/11/17 10:15:30:874 BrowserWindow <SEBBrowserWindow: 0x12badac60>: Title of current Page: Safe Exam Browser 3.3 —
2023/11/17 10:15:30:878 This resource was blocked by the URL filter: https://login.eduid.ch/idp/profile/user/system/shared-local-storage 2023/11/17 10:15:30:878 Navigation action policy for URL https://login.eduid.ch/idp/profile/user/system/shared-local-storage was 'cancel'

brunobaudry commented 10 months ago

Ok : Adding solved the issue :

            <dict>
                <key>action</key>
                <integer>1</integer>
                <key>active</key>
                <true/>
                <key>expression</key>
                <string>https://login.eduid.ch/idp/profile/user/system/shared-local-storage</string>
                <key>regex</key>
                <false/>
            </dict>

Tested ok on both Win and Macos

Thanks a lot @danschlet for the leads !

danschlet commented 10 months ago

https://login.eduid.ch/idp/profile/user/system/shared-local-storage is definitely not allowed with the URL filters you listed above. I assume that this URL is not called when SEB for Windows accessed the edu id login, maybe because of web browser compatibiltity.

Probably it's safe if you define a less strict URL filter like https://login.eduid.ch/idp/profile/* (or even just https://login.eduid.ch/*, but then you would need to test if you can navigate to unwanted pages on the login.eduid.ch subdomain).

danschlet commented 10 months ago

Welcome. This just confirms what we mentioned before (but we should probably add it to the manuals): Creating correctly working URL filter rules is complicated and cumbersome. You may think some rules work, but if some little detail changes on a website or in a web application, URL filter rules might stop working. Also as we saw here, web browser engine compatibility might create issues. So the tip with checking log files is important to follow, before reporting an SEB issue 😉.

brunobaudry commented 10 months ago

Welcome. This just confirms what we mentioned before (but we should probably add it to the manuals): Creating correctly working URL filter rules is complicated and cumbersome. You may think some rules work, but if some little detail changes on a website or in a web application, URL filter rules might stop working. Also as we saw here, web browser engine compatibility might create issues. So the tip with checking log files is important to follow, before reporting an SEB issue 😉.

Yes, the manual is comprehensive and detailed. With the rush factor, when such problems arise during operations, we read too diagonally perhaps ... Nevertheless, your suggestions and the verboses logs were a lifesaver. Sorry for the distraction.