Bug 1731411 - Invalid single sign-on credentials Error is thrown on the login page when user tries SSO from the loadbalancer VIP
Summary: Invalid single sign-on credentials Error is thrown on the login page when use...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.10.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.10.9
Assignee: Joe Vlcek
QA Contact: Antonin Pagac
Red Hat CloudForms Documentation
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-19 11:05 UTC by Rahul Chincholkar
Modified: 2019-07-29 14:41 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-23 07:12:34 UTC
Category: Bug
Cloudforms Team: CFME Core
Target Upstream Version:


Attachments (Terms of Use)

Description Rahul Chincholkar 2019-07-19 11:05:43 UTC
Description of problem
"Invalid single sign-on credentials" error is thrown on the login page when user tries SSO from the loadbalancer VIP

Version-Release number of selected component (if applicable):
5.10.5.1

How reproducible:
Everytime at Cu environment

Steps to reproduce
1. visit the loadbalancer hostname (VIP), the CloudForms login page shows up
2. login using any user's username and password
3. authentication works fine and user can see the CloudForms dashboard. Log out from the CloudForms dashboard
4. Refresh the page using browser's refresh button



Actual results:
"Invalid single sign-on credentials" error is seen

Expected results:
User should be allowed to login automatically without having to enter username and password (SSO)

Additional Info:
cu is using external auth (SSSD) with Windows Active Directory, they are using kerberos tickets for SSO
SSO is working fine from CloudForms appliance direct URL, issue is only seen from the loadbalancer
Cu is using F5 loadbalancer

Comment 5 Joe Vlcek 2019-07-19 14:07:57 UTC
Rahul,


Two things:

#1 - Can the CU use 

This is the document that describes how to Configuring CloudForms for Kerberos SSO behind a VIP
https://mojo.redhat.com/people/cwyatt/blog/2018/05/18/configuring-cloudforms-for-kerberos-sso-behind-a-vip

I see in the customer support case that they tried but abandoned these instructions when. for some
reason. they did not work. Please work with the customer to determine why these instructions did
not work for them as this is the prescribed method for Configuring CloudForms for Kerberos SSO behind a VIP.

They also need to make sure their firewall on the HAProxy servers are correctly configured.
Please work with the CU to ensure they have configured the Firewall on haproxy servers following the instructions found here:

https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.7/html-single/high_availability_guide/index#configuring_HAProxy

Make sure the CU updates the IPs in the following 2 files:

      - /etc/keepalived/keepalived.conf
      - /etc/haproxy/haproxy.cfg

Once this is done make sure the CU restarts keepalived and haproxy as follows:

    systemctl stop httpd

    systemctl enable keepalived
    systemctl enable haproxy
    systemctl start keepalived
    systemctl start haproxy

    systemctl restart keepalived
    systemctl status keepalived

    systemctl restart haproxy
    systemctl status haproxy


Please have them Verify the HAProxy configuration by following the instructions
in section "4.1. Verifying the HAProxy Configuration" of the instructions found
here:
https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.7/html-single/high_availability_guide/index#configuring_HAProxy

Comment 6 Joe Vlcek 2019-07-19 15:52:52 UTC
Rahul,


Reading the associated support case I see the statement:

"And SSO is working for the direct server link, just failing when the session is redirected from the F5."

This is an indication that this is not a Cloudforms bug and is very likely an issue with the load balancer configuration.
When everything is configured correctly Cloudforms should not be aware that the load balancer is there.

Please work with the CU to confirm their load balancer configuration.

Thank you, JoeV


Note You need to log in before you can comment on or make changes to this bug.