Open timcosgrove opened 1 month ago
One error type I see in the logs indicates a user is being returned from logon.iam.va.gov without an appropriate adUPN
attribute set
Drupal\simplesamlphp_auth\Exception\SimplesamlphpAttributeException: Error in simplesamlphp_auth.module: no valid "adUPN" attribute set. in Drupal\simplesamlphp_auth\Service\SimplesamlphpAuthManager->getAttribute() (line 284 of /var/www/cms/docroot/modules/contrib/simplesamlphp_auth/src/Service/SimplesamlphpAuthManager.php). [dd.trace_id=9223372036854775807 dd.span_id=4039230175985604495]
https://prod.cms.va.gov/admin/reports/dblog/event/4608084 (may be removed; not sure how long these are retained).
This has happened multiple times; it is not unique to the above. However, this doesn't seem clearly associated with the reported problem.
All users known to have this issue have had the issue resolved by using a different browser, so we are going to move this to the parking lot until we get more information about the problem and/or hear from more users experiencing the issue.
Full discussion here: https://dsva.slack.com/archives/CT4GZBM8F/p1723747595417829
Erika had an idea that it's users who have the translations set up and, specifically, if that module is the underlying issue.
Beth Potts has also reported experiencing the same issue.
CMS HD report from an Editor: Name: Linda.Wondra@va.gov Browser: ??? will ask and update here URL being accessed: ??? will ask and update here Also asking how recently she cleared her broswer cahce and if trying the "other" browser resolved it. Also asking how recently she was able to use this URL normally.
Name: megan.zehnder@va.gov Meghan writes: As of today, I’m still experiencing the issue.
Oddly, yesterday I encountered the issue much less frequently. I was able to go back into Edit mode in a Drupal page multiple times without clearing my cache and re-entering my PIV each time. But when I worked on a different post today, I hit the “Access denied” screen every time I tried to go back into Edit mode.
Here are some observations that may or may not be helpful!
@timcosgrove - @ian-sears @gracekretschmer-metrostar A new piece of information regarding Access Denied -- A common thread: Editors are clicking on 'Home' in the breadcrumb trail at the top of the page. This leads them to the Home page - forcing them to log in again - THIS is when the Access Denied message appears... Editors report that the functionality of this changed 3 or so months ago. The Home link should take them to the same page as clicking on their user name at the top of the page...
Additionally from @ian-sears - As an Editor, when I am editing, within the last two months when I click on the breadcrumb "Home". It does not take me to the home page for "me"... it instead asks me to log in again. Workarounds that the Editors have discovered... "Click the VA logo". (or) click your own email address in the menu bar and then "View Profile". This takes them back to what they consider to be their own "home" page (restricted to the sections they have access to edit in WorkBench...)
Although unable to shoot a video of this, the Editor Clifford.Coy@va.gov provides this (if verbose) clear text sequence of how he experiences this:
Sure, happy to help. I have the knowledge to do what you are asking, in terms of a video, but not the set up for it. I would have to do some odd video call on teams, and then record that, then compress it…..that is a little more work than I want to do. I can tell you that I have went a head and played around a bit more and I get this response after doing pretty much anything in the page. So, if I clear the browser cache…no issues, I can log in like normal. I use this link: https://prod.cms.va.gov/section/vha/vet-centers/boston-vet-center I select the “edit” button for the Main vet center page section. That takes me here: https://prod.cms.va.gov/node/3597/edit?destination=/section/vha/vet-centers/boston-vet-center which is a logon for my PIV. I click that and I am in the edit cms for my page.
After that, I can do what I want, but as soon as I navigate away or click anywhere else and then try to get back into the edit page, it takes me to the piv log in page and I get nothing but access denied, until I clear the cache again. I tested this by just closing the window, “x” ing out as the kids call it. Then using the above listed link https://prod.cms.va.gov/section/vha/vet-centers/boston-vet-center get back in. From my cms edit page: https://prod.cms.va.gov/node/3597/edit?destination=/section/vha/vet-centers/boston-vet-center&check_logged_in=1 I have navigated to the knowledge base: https://prod.cms.va.gov/help, my profile: https://prod.cms.va.gov/user/3136, after logging out. If I navigate anywhere or click anywhere and then try to get back in without first clearing the cache, it blocks me. I only tested this on edge, not any other browsers.
-Cliff
From VAHELP-7971 VA CMS Help Desk
Describe the defect
Some PIV users are reporting that specific pages show them an access denied page. These are pages that they previously had access to.
To Reproduce
This unfortunately is unreproduceable by other people. The problem is specific to certain users and certain pages. See also notes under Additional Context.
Randi Hecht:
Sara Torres:
Beth Potts:
AC / Expected behavior
Users should be able to access pages they have role-based access to.
Screenshots
Additional context
The general pattern is:
Additional information that has come back from working with users experiencing the problem:
A user that was not able to access /user/295 (their personal user profile page) was able to access /user/295/edit This indicates it is not a Drupal-level access issue; in other words, the user has legitimate access to the content they're trying to view.
Troubleshooting Steps
Acceptance Criteria