SAML login fails in Internet Explorer 11 As a side effect of https://github.com/spring-projects/spring-security/commit/00302c80adb0a67d0a3d218022b8b647053d4137 not only the way the form is submitted changed (from body onload attribute to a script tag) but also the JavaScript language requirements changed due to the (unnecessary) usage of the array function syntax. This statement could still be written in a way that all currently used browsers can execute it successfully.
As a mostly backend library, Spring Security imho should not have too high browser requirements (and there are still a lot of Enterprise web apps out there that require IE 11 - that's why Microsoft will support it as a mode in Edge until 2028 or so!).
To Reproduce * Setup a system with SAML * Log in with IE 11 (typically you will need MS Edge and configure the URL to be used in Internet Explorer compatibility mode) * Login process will be stuck at attempting to submit form data to identity provider
Expected behavior No JavaScript error should occur but the form should be submitted correctly to the
Sample Setting up a test system with SAML should not be a problem for your team. ;)
Thanks a lot for checking this issue and helping us. Stefan
Comment From: marcusdacoregio
Hello @stefanraubal, thanks for the report.
I agree that it should not fail with IE 11 since it will be supported by Edge compatibility mode until 2029. However, I changed the tests to use Internet Explorer 11 and they still pass, can you check that sample and see if I'm missing something?
Comment From: stefanraubal
Hello Marcus,
Sorry for the late response. I don’t know what internal JavaScript engine your test environment uses, but if you just try it out on a MS Edge with “Reload in Internet Explorer mode” you will see that the forwarding process fails.
Kind regards, Stefan
From: Marcus Hert Da Coregio @.> Sent: Donnerstag, 27. April 2023 15:52 To: spring-projects/spring-security @.> Cc: Stefan Raubal @.>; Mention @.> Subject: Re: [spring-projects/spring-security] SAML login fails in Internet Explorer 11 (Issue #13106)
Hello @stefanraubalhttps://urldefense.com/v3/__https:/github.com/stefanraubal__;!!NknhfzgzgQ!yGxhpCANY4U_6S6Eflu9KvBy12VHDzKLtYoOCpsDzFZyG21ELwlDlZzAgXYImE2iP_p5YH3GAIrCSIhtlY8VU8fkXht0dQ$, thanks for the report.
I agree that it should not fail with IE 11 since it will be supported by Edge compatibility mode until 2029. However, I changed the testshttps://urldefense.com/v3/__https:/github.com/marcusdacoregio/spring-security-samples/commit/f27ac24b73adaf24a216e256303a2b2b62f306f0__;!!NknhfzgzgQ!yGxhpCANY4U_6S6Eflu9KvBy12VHDzKLtYoOCpsDzFZyG21ELwlDlZzAgXYImE2iP_p5YH3GAIrCSIhtlY8VU8f7FBrSfA$ to use Internet Explorer 11 and they still pass, can you check that sample and see if I'm missing something?
— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/spring-projects/spring-security/issues/13106*issuecomment-1525734706__;Iw!!NknhfzgzgQ!yGxhpCANY4U_6S6Eflu9KvBy12VHDzKLtYoOCpsDzFZyG21ELwlDlZzAgXYImE2iP_p5YH3GAIrCSIhtlY8VU8dpdaS7Sg$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/A7O4HVUV66T3VMYBFRJ3NR3XDJ2ZVANCNFSM6AAAAAAXNZLVQE__;!!NknhfzgzgQ!yGxhpCANY4U_6S6Eflu9KvBy12VHDzKLtYoOCpsDzFZyG21ELwlDlZzAgXYImE2iP_p5YH3GAIrCSIhtlY8VU8cGttbXQw$. You are receiving this because you were mentioned.Message ID: @.***>
Confidentiality note: This e-mail may contain confidential information from Clarivate. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this e-mail is strictly prohibited. If you have received this e-mail in error, please delete this e-mail and notify the sender immediately.
Comment From: marcusdacoregio
Hi @stefanraubal, I was able to reproduce the behavior consistently manually. I've scheduled the fix for 5.8.4 and 6.0.4.