Hi,
We recently upgraded our One Identity environment from 9.2 to 9.3, and after the upgrade we started experiencing issues with SSO on the web portal login.
Environment details:
-
ApiServer hosted in IIS
-
Windows Authentication: Enabled
-
Anonymous Authentication: Disabled
-
Authentication module: “Active Directory user account (role-based)”
-
Configured as the Single Sign-On authentication module
Behavior before the upgrade (9.2):
Users never saw the login screen. A request to
ApiServer/imx/sessions/portal
returned the available authentication options and confirmed that the user was already authenticated (PrimaryAuth.IsAuthenticated: true).
Behavior after the upgrade (9.3):
The login check still appears to be performed, but it fails and generates a warning in the DialogJournal table.
From what we can tell, the failure occurs because:
-
AdsAccountHelpers.GetSsoIdentity()looks forHttpContext -
SessionResponse.BuildAsync()does not includes the request context inLoginEnvironment()(unlikeSessionProviderExtensionMethods.LoginAsync()) -
As a result,
AdsAccountHelpers.GetSsoIdentity()falls back toWindowsIdentity.GetCurrent()instead ofhttpContext.User.Identity -
But in the IIS context, this returns the application pool identity, causing the SSO login to fail
Additionally, a login warning is written to DialogJournal every time the login page is loaded.
At this point, we haven’t been able to identify a workaround.
Has anyone else encountered this issue after upgrading to 9.3?
Is there a known workaround or an available hotfix?
Thanks in advance.
