Software developed using Adobe Air cannot render SAML SSO template

We are using 8x8 desktop client which is developed using Adobe Air technology. We want to sign in with our company’s google emails. One process in the middle involves logging into our SAML of course. However, there is one software where UCS’s simplesamlphp template is not rendered properly. I have attached screenshots. We also have deployed test and standalone “simplesamlphp” with standard template which renders fine as you can see on other screenshot.

I suspect the problem is either within 8x8’s client or Adobe Air technology, or that there is something in Univention’s template that the software cannot render. Something… small and simple. But I do not know what.

We are also running on UCS version 4.2-3 which I know is very outdated, however it would take me 2-4 weeks to update to latest UCS version, and maybe that will update our SSO template. However in the meantime, if someone can shed some light into this problem, I will be very happy.

PS I am not trying to blame any software or vendor mentioned here, just want to fix it.

(right click -> open in a new tab)

The software company said they would not support anything above they already do.

Their client is developed with Adobe Air.

I guess that I can still try to modify SSO template or update to latest version hoping it will start working itself.

If I wish to ask Univention’s help in this I guess we would need to have a support contract?

Hello Roman, your first screenshot seems to only show a loading animation with a missing UCS logo in the center. From the information provided i cannot conclude what page is requested.
Your second screenshot shows a simplesamlphp error page. It seems that simplesamlphp was called with insufficient parameters.

For more information you can look into the apache logs and the syslog, where simplesamlphp is logging information. You can also increase the simplesamlphp loglevel.

As i know not enough about the software you are developing or Adobe Air, a generic idea i have is that you could try to hardcode the URL that is requested. The request for the loginpage should be the same that is behind the Google tile in the UCS Portal, it has the form https://ucs-sso.[YOUR_UCS_DOMAIN]/simplesamlphp/saml2/idp/SSOService.php?spentityid=google.com

@damrose

The page requested was SSO simpleSAMLphp login
simplesamlphp/module.php/core/loginuserpass.php?AuthState=[cut]

It looks as if it is loading but it is actually not doing anything. The same page in browser looks as attached.

So I guess it is some sort of HTML element is not displayed in Adobe Air web rendering engine.

As i suggested, please try the request with this page: /simplesamlphp/saml2/idp/SSOService.php?spentityid=google.com

I am afraid that would not be possible. This application is developed by 8x8 (called Virtual Office Desktop), and they refused to help.

There must be a step where users would enter their credentials and this step does not load.

So I have this 8x8 Virtual Office Desktop application which must login into 8x8.

We setup 8x8 SSO login via our Google accounts (which in turn login into our Univention SSO).

Process is

1. login on 8x8
2. get redirected to google, login in google
3. get re directed to Univention SSO
4. Login in SSO
5. Get redirected back to google, then to 8x8

We can login via browser fine. But in the app, which is written with Adobe Air code, it fails on step 3 or 4.

Thanks for the clarification. so steps 2-5 work with an external browser? Then i am out of ideas, as the issue really seems to lie in the external app, as you suspected.

An approach to this problem could be to check if and how the requests to the SAML login differ between the app and a standalone browser, but it seems to be that the app has to be fixed to make it work, which is out of scope here

Thanks for update. I guess we either have to work it our ourselves or change the provider if it does not work for us as we need. Thanks. If our custom modification will work (hope no problem with Univention licensing) I will update here.

I have done some more digging and found out that 8x8’s Adobe Air version is 22.0 which is from 2016.
The login template screen loads some javascript to load logo and login fields.

I can actually navigate the username and password with “Tab” buttons, typing credentials and proceed with “Enter”.

So the HTML elements are there, I guess it is just a problem rendering JavaScript?

If AdobeAir/22.0 was released in 2016, I guess with rapid JavaScript language development, AdobeAir 22 may be too old now.

I think we can fix this problem by creating our own (and branded) SSO template with no Javascript and complicated CSS, maybe this will fix the problem.

Is there a way to develop our own template which will not get overwritten after UCS upgrades?

Yes that is possible. The Simplesaml documentation has a short chapter about theming.
You can have a look at our theme in the package univention-saml, or on a UCS DC Master/Backup in /usr/share/simplesamlphp/modules/univentiontheme

To activate your theme and make the setting permanent, use ucr set saml/idp/lookandfeel/theme=<yourthemename>, the default is univentiontheme:univention.

Thanks. I have created new theme, a very simple one. Now it is loading fine in software developed with Adobe Air.

Is there a chance it would not work same as Univention’s theme? I guess you might have additional functionality built in to re-authenticate into controllers, etc?