Broken redirect after Azure SSO integration #172
Comments
|
When does the 404 occur? On login attempt or on loading login page? We currently have an open issue #159 If the VECTR instance can't load the Metadata URL or other URLs necessary for SSO Auth completely breaks and fails to load. Sounds like it could be this issue. Can you check your container logs for errors and network connectivity? |
|
The 404 occurs whenever I attempt to reach https://<VECTR_DOMAIN> which autoredirects to https://<VECTR_DOMAIN>/sra-purpletools-webui/app/#/ Data in .env all comply with points raised in issues 159. However, reset the initial values for VECTR_DATA_KEY and APP_Name they were non-alphanumeric and something outside Vectr respectively. Will rebuilding then restarting the docker instances after modifying the env creds rule out any issue in the .env file? |
|
VECTR_DATA_KEY can't be changed after initial setup. Changing this will void the instances ability to read the database. The APP_Name issue is still outstanding and will hopefully be fixed in the next release. If you've got no data in the instance you care about the best method is to blow away your volumes, reset your .env to as many defaults as you can and reenroll your SSO application. If it still works we can eliminate the potential networking aspect. |
|
This is a fresh install so there are no holdbacks regarding the overhaul. |
|
Do you have other docker containers running on the host?
Should tear down the containers then you'll need to remove the volumes as they persist. If it's not attached a prune should suffice.
If you do have other workloads on the host I wouldn't recommend using a prune as you might remove data from other containers not currently running. You'd have to remove the VECTR ones manually. |
|
Prune - That fixed persistence issue for the containers. |
|
If everything is defaulted and you're still encountering an issue during enrollment it likely means there's a networking issue trying to communicate with the SSO provider. I'd check the container logs, resources here https://docs.docker.com/engine/reference/commandline/logs/ We've got a release due out in the new few weeks to make some improvements in this area and may provide an easier troubleshooting experience if you still experience issues. It doesn't appear to be a bug from the info we have, so our ability to provide SSO support for community users is limited. If you find anything of note in your container logs feel free to post it here. |
|
Running the docker logs --follow command for realtime outputs, this continue print even when JWT (JWS_KEY) is confirmed
|
|
@oakey1 it's a bit difficult to tell what's going on with the standard logging. In your Where you able to setup SSO after rebuilding the containers? At which point do you get the 404 now? Does it occur after you initiate SSO from the VECTR login page or does it happen after you've logged into your identity provider and when it redirects back to VECTR? |
|
@oakey1 the 8.3.0 release is out with several auth and SSO improvements. I'd give it a try with this new build. |
|
After updating to 8.3.0 and giving the Azure AD IDP option a shot, currently seeing a different error referencing how Host:login.mircrosoftonline.com is unreachable for claims mapping
|
|
There's either a typo in the URL field or there's a networking issue. Firewalls, limited egress, hard to say. It can't communicate with Azure. |
Yet to find a smoking gun but here's a sanitized full stacktrace incase something jumps out: 2022-03-23 12:28:56,840 DEBUG [org.apache.commons.beanutils.converters.StringConverter] - Converting 'com.sra.auth.model.enums.AuthnProtocol' value 'AZURE_AD_OIDC' to type 'String' Also getting failure audit logs at inconsistent time intervals in Azure AD with error code 90094. |
|
Near the bottom looks pretty smoking gun to me.
It's DNS, it can't resolve login.microsoftonline.com |
|
@oakey1 Could be a DNS issue as @SRAPSpencer mentioned. Are you using a proxy to connect to the outside? If yes, you'll need to configure the JVM proxy. See #163 Separate note, the stack trace appears that you are having issues adding the SSO provider in VECTR, however, you also mention that you are trying to log into VECTR via SSO. Are you trying to access VECTR from Azure AD (i.e. IdP initiated flow)? If yes, two issues with that:
|
|
Following up on this since the issue persists. A few tests we ran didn't point to any issue around DNS: curl -k -L https://login.microsoftonline.com/ on the host resolves the We are not using any proxies on this box. The stack trace provided is the event generated while attempting to integrate SSO with Vectr using Azure AD. Azure portal is setup but but clearly the Vectr instances cannot reach the AAD portal as no Sign-in failures under usage and insights are getting logged. How can we have these connections spot-checked? |
|
@oakey1 I'm not sure we have anything else to recommend. If you'd like we can jump on a quick call to go over the situation to ensure everything on the VECTR end is working correctly. Email us at vectrops@securityriskadvisors.com so we can set something up. |
|
Issue was underlying networking issue with RHEL + Docker. Not specific to VECTR. Similar issues. |
Appears to be a unique issue since i'm not seeing any similar issues raised.
After registering vectr in AAD and completing the SSO claims mapping, sign in attempts now redirect to
https://<VECTR_DOMAIN>/sra-purpletools-webui/app/#/ with a vectr logo in the middle but "Failed with status code 404" right under.
Similar image as issue #171 except that it worked prior to setting up SSO.
This is a RHEL
The text was updated successfully, but these errors were encountered: