...
Currently the user account status in the local user directory is checked only during the initial authentication before the mapping is stored in the Federation Table. If user decides to accept the storing, account statuses are not checked for subsequent federations. This means that any user, that have been disabled in the local directory after they authenticated for User Driven Federation, can successfully login when they are federating with their remote account. This can be prevented by configuring the applications Authorization Policy so that it ensures the user is authorized only if the account is enabled. The procedure is described in UDF documentation page.
8.2.19 and 8.2.24
...
: Access blocked to SSO
...
, HTTP
...
403 error in cross-domain authentication requests
Configuration error in SSO causes the authentication server to block all requests which contain Origin-header where second level domain name differs from SSO's. This issue affects at least certain Chrome and Safari browser versions in a cross-domain authentication scenario. The workaround for this is to comment out the <filter-mapping> having <filter-name> org.apache.catalina.filters.CorsFilter#disabled in file ubilogin-sso/ubilogin/webapps/uas/WEB-INF/web.xml.
...