Description of problem "Invalid single sign-on credentials" error is thrown on the login page when user tries SSO from the loadbalancer VIP Version-Release number of selected component (if applicable): 5.10.5.1 How reproducible: Everytime at Cu environment Steps to reproduce 1. visit the loadbalancer hostname (VIP), the CloudForms login page shows up 2. login using any user's username and password 3. authentication works fine and user can see the CloudForms dashboard. Log out from the CloudForms dashboard 4. Refresh the page using browser's refresh button Actual results: "Invalid single sign-on credentials" error is seen Expected results: User should be allowed to login automatically without having to enter username and password (SSO) Additional Info: cu is using external auth (SSSD) with Windows Active Directory, they are using kerberos tickets for SSO SSO is working fine from CloudForms appliance direct URL, issue is only seen from the loadbalancer Cu is using F5 loadbalancer
Rahul, Two things: #1 - Can the CU use This is the document that describes how to Configuring CloudForms for Kerberos SSO behind a VIP https://mojo.redhat.com/people/cwyatt/blog/2018/05/18/configuring-cloudforms-for-kerberos-sso-behind-a-vip I see in the customer support case that they tried but abandoned these instructions when. for some reason. they did not work. Please work with the customer to determine why these instructions did not work for them as this is the prescribed method for Configuring CloudForms for Kerberos SSO behind a VIP. They also need to make sure their firewall on the HAProxy servers are correctly configured. Please work with the CU to ensure they have configured the Firewall on haproxy servers following the instructions found here: https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.7/html-single/high_availability_guide/index#configuring_HAProxy Make sure the CU updates the IPs in the following 2 files: - /etc/keepalived/keepalived.conf - /etc/haproxy/haproxy.cfg Once this is done make sure the CU restarts keepalived and haproxy as follows: systemctl stop httpd systemctl enable keepalived systemctl enable haproxy systemctl start keepalived systemctl start haproxy systemctl restart keepalived systemctl status keepalived systemctl restart haproxy systemctl status haproxy Please have them Verify the HAProxy configuration by following the instructions in section "4.1. Verifying the HAProxy Configuration" of the instructions found here: https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.7/html-single/high_availability_guide/index#configuring_HAProxy
Rahul, Reading the associated support case I see the statement: "And SSO is working for the direct server link, just failing when the session is redirected from the F5." This is an indication that this is not a Cloudforms bug and is very likely an issue with the load balancer configuration. When everything is configured correctly Cloudforms should not be aware that the load balancer is there. Please work with the CU to confirm their load balancer configuration. Thank you, JoeV