SAML authentication prompting for Basic Auth instead of using cert for IWA

brave / brave-browser

Brave browser for Android, iOS, Linux, macOS, Windows.

https://brave.com

Mozilla Public License 2.0

17k stars 2.21k forks source link

SAML authentication prompting for Basic Auth instead of using cert for IWA #1261

Open avoidwork opened 5 years ago

avoidwork commented 5 years ago

Description

My MBP with latest brave stable & dev is prompting for basic auth during SAML dance, even though Apple's Enterprise Connect is running.

Steps to Reproduce

Actual result:

dn3dfh9xuaa1gkf

Expected result:

Apple's Enterprise Connect handles the certificate, and basic auth challenge doesn't happen.

Reproduces how often:

Easily reproduced

Brave version (chrome://version info)

Brave | 0.55.6 Chromium: 70.0.3538.16 (Official Build) dev (64-bit)
Revision | 16ed95b41bb05e565b11fb66ac33c660b721f778-refs/branch-heads/3538@{#306}
OS | Mac OS X

Reproducible on current release:

Yes

Website problems only:

Does the issue resolve itself when disabling Brave Shields? No
Is the issue reproducible on the latest version of Chrome? No

Additional Information

Okta(.com) in use.

diracdeltas commented 5 years ago

I don't have a test site for SAML implementations, but I did check that client cert auth works in Brave using the test at badssl.com

mukuld commented 4 years ago

+1. I have the same issue. When a computer is a part of the enterprise domain, the authentication should just work seamlessly.

I am on the latest and greatest stable version as of today: Version 0.66.100 Chromium: 75.0.3770.142 (Official Build) (64-bit)

avoidwork commented 4 years ago

I forgot about this issue; I had to stop using brave because it was too intrusive.

mukuld commented 4 years ago

That's interesting. The browser claims to be non-intrusive. What do you mean by it was too intrusive. Anyhow, I found some hacks that work to make the browser enterprise friendly. Now, if only the development team would implement these in the prodution version. I have documented it on my website.

using a hack creates a problems with upgrades as every upgrade breaks the hack and we have to redo again.

avoidwork commented 4 years ago

Intrusive by disrupting the authentication mechanism & requiring me to put keyboard focus where it previously wasn't needed, and then entering a passphrase. The password prompt is a failover for the IWA.

avoidwork commented 4 years ago

imagine browsing a large wiki and opening tabs, and each tab wants a basic auth challenge fulfilled.

mukuld commented 4 years ago

Ah, I understand the challenges. I had the same challenges on my corporate intranet and federated sites (and there are a lot in my environment). However, the workaround I documented works like a charm. I have been using Brave for the past week or so and have not looked back. It is very fast, smooth and looks great!