Description of problem
"Invalid single sign-on credentials" error is thrown on the login page when user tries SSO from the loadbalancer VIP
Version-Release number of selected component (if applicable):
Everytime at Cu environment
Steps to reproduce
1. visit the loadbalancer hostname (VIP), the CloudForms login page shows up
2. login using any user's username and password
3. authentication works fine and user can see the CloudForms dashboard. Log out from the CloudForms dashboard
4. Refresh the page using browser's refresh button
"Invalid single sign-on credentials" error is seen
User should be allowed to login automatically without having to enter username and password (SSO)
cu is using external auth (SSSD) with Windows Active Directory, they are using kerberos tickets for SSO
SSO is working fine from CloudForms appliance direct URL, issue is only seen from the loadbalancer
Cu is using F5 loadbalancer
#1 - Can the CU use
This is the document that describes how to Configuring CloudForms for Kerberos SSO behind a VIP
I see in the customer support case that they tried but abandoned these instructions when. for some
reason. they did not work. Please work with the customer to determine why these instructions did
not work for them as this is the prescribed method for Configuring CloudForms for Kerberos SSO behind a VIP.
They also need to make sure their firewall on the HAProxy servers are correctly configured.
Please work with the CU to ensure they have configured the Firewall on haproxy servers following the instructions found here:
Make sure the CU updates the IPs in the following 2 files:
Once this is done make sure the CU restarts keepalived and haproxy as follows:
systemctl stop httpd
systemctl enable keepalived
systemctl enable haproxy
systemctl start keepalived
systemctl start haproxy
systemctl restart keepalived
systemctl status keepalived
systemctl restart haproxy
systemctl status haproxy
Please have them Verify the HAProxy configuration by following the instructions
in section "4.1. Verifying the HAProxy Configuration" of the instructions found
Reading the associated support case I see the statement:
"And SSO is working for the direct server link, just failing when the session is redirected from the F5."
This is an indication that this is not a Cloudforms bug and is very likely an issue with the load balancer configuration.
When everything is configured correctly Cloudforms should not be aware that the load balancer is there.
Please work with the CU to confirm their load balancer configuration.
Thank you, JoeV