SAML SSO and deeplink

0
I know this question has been asked before by Bart Tolen (https://forum.mendix.com/questions/995/Deeplink-and-Single-Sign-On, but the SAML module has been upgraded extensively so hence the reason to ask the question again. We have a setup where a Mendix user goes to another website and is handed over with SSO. After the user has done it's thing on the other website he is handed back through a deeplink to the Mendix application. We already have deeplinks working in the application for anonymous users and these work. The problem we have is that the user lands on a blank page and the deeplink is never triggered. Now this could be the page for the anonymous user. Only when a anonymous user uses a deeplink the user arrives on a Mendix form. The home screen of anonymous users is just an empty screen. I already tried to call the deeplink from the CustomLoginLogic microflow of the SAML module (with the risk of running the deeplink twice), but this did not seem to work. The crux of the problem is that there must be a user session for the deeplink to work. The strange part though is that when I change the deeplink to index3.html the user is logged in to our application. So the handover back from the external website to the Mendix site seems to work. Did anybody else did a combination of SAML and deeplink? Any suggestion on what we might try? Regards, Ronald [EDIT] The sollution must be in the combination of the IndexPage and LoginLocation constant . I have set the IndexPage constant to index3.html because the index.html is used to redirect to the SSO page. The LoginLocation constant documentation mentions something about SSO If not empty, it is assumed that after login, the user will be redirected to the deeplink again. For this reason the provided url is appended with the original deeplink. For example: 'https://mxid.mendix.com/login?a=MyApp&f=true&cont=' or '../sso/login?f=true&cont=' I tried both but got some very strange results. Stephan sollutiond did partially work https://yourmendixapp.com/SSO/login?a=MyApp&f=true&cont=/link/linkname/parameter At least the SSO got triggered, but the user was logged in instead of following the deeplink. The deeplink did not get triggered. I will call the deeplink again from CustomLoginLogic to see if that helps. [EDIT2] When I fill in the deeplink in the browser I see that a PendinLink is created as an Anoymous user. The deeplink is triggered, but the session id after the SSO login is different and since the deeplink is from an anonymous user the PendingLink is not found. Should the PendingLink not be updated after the SSO redirect? Seems like a bug to me. [EDIT3] Correction. The pending link is never created. The SSO does trigger and even the deeplink is triggered. But since there is no PendingLink the result is that the user is logged in. The PendinLink I saw was an old one. [EDIT4] When setting the log levels to debug I suddenly get an error in my log: Oct 15 15:01:16.327 127.0.0.1 tr10000: ERROR - DeepLink: Error while serving deeplink: Oct 15 15:01:16.330 127.0.0.1 tr10000: ERROR - DeepLink: (1/51) com.mendix.core.CoreRuntimeException: com.mendix.systemwideinterfaces.MendixRuntimeException: com.mendix.core.CoreRuntimeException: Exception occurred in action '{"xpath":"//DeepLink.PendingLink[DeepLink.PendingLink_DeepLink='147774362773094801' and User='test.sso-springest@hu.nl']","amount":-1,"depth":0,"offset":-1,"sort":{},"type":"RetrieveXPathAction"}', all database changes executed by this action were rolled back Oct 15 15:01:16.330 127.0.0.1 tr10000: ERROR - DeepLink: (2/51) at com.mendix.core.actionmanagement.ActionManager.executeSync(ActionManager.java:202) Oct 15 15:01:16.330 127.0.0.1 tr10000: ERROR - DeepLink: (3/51) Oct 15 15:01:16.330 127.0.0.1 tr10000: ERROR - DeepLink: (4/51) Caused by: com.mendix.systemwideinterfaces.MendixRuntimeException: com.mendix.core.CoreRuntimeException: Exception occurred in action '{"xpath":"//DeepLink.PendingLink[DeepLink.PendingLink_DeepLink='147774362773094801' and User='test.sso-springest@hu.nl']","amount":-1,"depth":0,"offset":-1,"sort":{},"type":"RetrieveXPathAction"}', all database changes executed by this action were rolled back Oct 15 15:01:16.330 127.0.0.1 tr10000: ERROR - DeepLink: (5/51) at com.mendix.util.classloading.Runner.doRunUsingClassLoaderOf(Runner.java:36) Oct 15 15:01:16.331 127.0.0.1 tr10000: ERROR - DeepLink: (6/51) Oct 15 15:01:16.331 127.0.0.1 tr10000: ERROR - DeepLink: (7/51) Caused by: com.mendix.core.CoreRuntimeException: Exception occurred in action '{"xpath":"//DeepLink.PendingLink[DeepLink.PendingLink_DeepLink='147774362773094801' and User='test.sso-springest@hu.nl']","amount":-1,"depth":0,"offset":-1,"sort":{},"type":"RetrieveXPathAction"}', all database changes executed by this action were rolled back Oct 15 15:01:16.331 127.0.0.1 tr10000: ERROR - DeepLink: (8/51) at com.mendix.core.actionmanagement.CoreAction.processErrorState(CoreAction.java:304) Oct 15 15:01:16.331 127.0.0.1 tr10000: ERROR - DeepLink: (9/51) Oct 15 15:01:16.331 127.0.0.1 tr10000: ERROR - DeepLink: (10/51) Caused by: com.mendix.connectionbus.ConnectionBusRuntimeException: An exception has occurred for the following request(s): Oct 15 15:01:16.331 127.0.0.1 tr10000: ERROR - DeepLink: (11/51) XPathTextGetRequest (depth = 0): //DeepLink.PendingLink[DeepLink.PendingLink_DeepLink='147774362773094801' and User='test.sso-springest@hu.nl'] Oct 15 15:01:16.331 127.0.0.1 tr10000: ERROR - DeepLink: (12/51) at com.mendix.connectionbus.RequestAnalyzer.doRequest(RequestAnalyzer.java:59) Oct 15 15:01:16.331 127.0.0.1 tr10000: ERROR - DeepLink: (13/51) Oct 15 15:01:16.331 127.0.0.1 tr10000: ERROR - DeepLink: (14/51) Caused by: com.mendix.core.objectmanagement.SecurityRuntimeException: No access rights for subquery [SELECT x1DeepLink.PendingLink.ID FROM deeplink$pendinglink AS x1DeepLink.PendingLink WHERE (c1deeplink$pendinglink_deeplink.deeplink$deeplinkid = 147774362773094801 AND x1DeepLink.PendingLink.user = ?)] Oct 15 15:01:16.331 127.0.0.1 tr10000: ERROR - DeepLink: (15/51) at com.mendix.connectionbus.retrieve.query.mapping.WhereClauseMapper.handleSubQuery(WhereClauseMapper.java:1184)
asked
2 answers
0

normally the deeplink is

https://appname/link/something/key for sso you could create another deeplink like

https://appname/sso/login?f=true&cont=link/something/key This will trigger the SSO login and afterwards redirect the user to the deeplink

answered
0
No access rights for subquery [SELECT x1DeepLink.PendingLink.ID FROM deeplink$pendinglink AS x1DeepLink.PendingLink WHERE (c1deeplink$pendinglink_deeplink.deeplink$deeplinkid = 147774362773094801 AND x1DeepLink.PendingLink.user = ?)] Oct 15 15:01:16.331 127.0.0.1 tr10000: ERROR - DeepLink: (15/51)    at com.mendix.connectionbus.retrieve.query.mapping.WhereClauseMapper.handleSubQuery(WhereClauseMapper.java:1184)

You should adjust you access rules. Be cautious with that. You don't want to allow your anonymous user to be able to read all PendingLink objects.

answered