SAML authentication not appearing on 7.11.0

Question

SAML authentication not appearing on 7.11.0

jhohiii opened this issue 5 months ago · comments

Summary

Configured SAML authentication on 7.11.0 using the BOSH release. The option to perform SAML authentication does not appear on the login page. No errors in the log. Environment variables are present.

Steps to reproduce

Configure web.properties.saml_auth in deployment manifest.

        saml_auth:
          display_name: Okta
          sso_url: https://<redacted>
          sso_issuer: http://<redacted>
          ca_cert: |
            -----BEGIN CERTIFICATE-----
            <redacted>
            -----END CERTIFICATE-----
          username_attr: uid
          email_attr: emailAddress
          groups_attr: authorities

Deploy:

Using environment '10.51.17.15' as client 'admin'

Using deployment 'c4platform'

Release 'bpm/1.1.21' already exists.

Release 'postgres/44' already exists.

Release 'concourse/7.11.0' already exists.

  instance_groups:
  - name: web
    jobs:
    - name: web
      properties:
+       saml_auth:
+         ca_cert: "<redacted>"
+         display_name: "<redacted>"
+         email_attr: "<redacted>"
+         groups_attr: "<redacted>"
+         sso_issuer: "<redacted>"
+         sso_url: "<redacted>"
+         username_attr: "<redacted>"

Continue? [yN]: y

Task 1569134

Task 1569134 | 20:54:10 | Preparing deployment: Preparing deployment (00:00:01)
Task 1569134 | 20:54:11 | Preparing deployment: Rendering templates (00:00:01)
Task 1569134 | 20:54:12 | Preparing package compilation: Finding packages to compile (00:00:00)
Task 1569134 | 20:54:13 | Updating instance web: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:15 | L executing pre-stop: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:15 | L executing drain: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:16 | L stopping jobs: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:18 | L executing post-stop: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:26 | L installing packages: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:27 | L configuring jobs: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:27 | L executing pre-start: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:28 | L starting jobs: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:29 | L executing post-start: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary) (00:00:16)
Task 1569134 | 20:54:29 | Updating instance web: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:30 | L executing pre-stop: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:30 | L executing drain: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:31 | L stopping jobs: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:33 | L executing post-stop: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:41 | L installing packages: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:42 | L configuring jobs: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:42 | L executing pre-start: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:43 | L starting jobs: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:45 | L executing post-start: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1) (00:00:17)

Task 1569134 Started  Wed Jan 10 20:54:10 UTC 2024
Task 1569134 Finished Wed Jan 10 20:54:46 UTC 2024
Task 1569134 Duration 00:00:36
Task 1569134 done

Succeeded

Verify CONCOURSE_SAML* environment variables are present on the web PID

web/23e39028-95d7-4bd8-b524-a6b471f912b5:~# ps -ef | grep web | grep -Ev 'grep|tini' | awk '{print $2}' | while read mypid ; do strings /proc/$mypid/environ | grep CONCOURSE_SAML ; done
CONCOURSE_SAML_DISPLAY_NAME=Okta
CONCOURSE_SAML_SSO_ISSUER=<redacted>
CONCOURSE_SAML_GROUPS_ATTR=authorities
CONCOURSE_SAML_SSO_URL=<redacted>
CONCOURSE_SAML_EMAIL_ATTR=emailAddress
CONCOURSE_SAML_USERNAME_ATTR=uid

Attempt to login using the Okta option in the login screen

Expected results

The presence of an 'Okta' button in the login screen that redirects to Okta and performs SAML handshake/authentication

Actual results

No 'Okta' option on the login screen.

curl https://concourse-platform-1.gaig.com/sky/issuer/auth

<!DOCTYPE html>
<html>
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <title>Concourse</title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <script type="text/javascript">
      if (String(performance.getEntriesByType("navigation")[0].type) === "back_forward") {
        location.reload()
      }
    </script>
    <link href="https://github.com/concourse/concourse/issues/static/main.css" target="_blank" rel="nofollow" rel="stylesheet">
    <link href="theme/styles.css" rel="stylesheet">
    <link rel="icon" href="theme/favicon.png">
  </head>

  <body class="theme-body">
    <div class="theme-navbar">
      <a class="theme-navbar__logo-wrap" href="/">
        <img class="theme-navbar__logo" src="theme/logo.svg">
      </a>
    </div>

    <div class="dex-container">


<div class="theme-panel">
  <h2 class="theme-heading">login to Concourse </h2>
  <div>

      <div class="theme-form-row">
        <a href="/sky/issuer/auth/cloudfoundry" target="_self">
          <button class="dex-btn theme-btn-provider">
            <span class="dex-btn-icon dex-btn-icon--cloudfoundry"></span>
            <span class="dex-btn-text">CloudFoundry</span>
          </button>
        </a>
      </div>

      <div class="theme-form-row">
        <a href="/sky/issuer/auth/local" target="_self">
          <button class="dex-btn theme-btn-provider">
            <span class="dex-btn-icon dex-btn-icon--local"></span>
            <span class="dex-btn-text">Username/Password</span>
          </button>
        </a>
      </div>

  </div>
</div>

    </div>
  </body>
</html>

Additional context

Triaging info

Concourse version: 7.11.0
Browser (if applicable): Multiple - Chrome (current), Firefox
Did this used to work? Never tried - but others seem to have used Okta/SAML before based on the history

viaxinel · Answer 1 · Thu Jan 11 2024 10:05:01 GMT+0800 (China Standard Time)

I have also reproduced this behavior on a BOSH deployment of 7.8.2 - same configuration.

Rui Yang · Answer 2 · Wed Jan 17 2024 23:58:14 GMT+0800 (China Standard Time)

Hi, what is the web node log output about auth config in the beginning? Also, is your deployment configured with both SAML and cloudfoundry provider?

viaxinel · Answer 3 · Thu Jan 18 2024 01:32:44 GMT+0800 (China Standard Time)

@xtremerui Yes, the deployment has both CF and SAML configured.

I can't find any log lines in web.stdout.log referencing 'auth' during a 'monit stop web' followed by a 'monit start web'. Do I need to turn on additional logging or look somewhere else?

Rui Yang · Answer 4 · Thu Jan 18 2024 02:20:10 GMT+0800 (China Standard Time)

yes the log level needs to be debug. https://github.com/concourse/concourse-bosh-release/blob/master/jobs/web/spec#L147

viaxinel · Answer 5 · Thu Jan 18 2024 02:24:20 GMT+0800 (China Standard Time)

As a test, I removed the cf_auth section of our deployment yaml, redeployed. Still no SAML and no errors. I will enable debug logging and post back.

viaxinel · Answer 6 · Thu Jan 18 2024 02:35:22 GMT+0800 (China Standard Time)

Enabled debug. Redeployed. Checked web.stdout.log and web.stderr.log and found nothing related to 'auth' or 'saml'. It's like web is just ignoring the directives for saml_auth.

The web.stdout.log had debug logs during this period, so I know that the debug logging directive was working.

viaxinel · Answer 7 · Thu Jan 18 2024 02:42:19 GMT+0800 (China Standard Time)

@xtremerui
I cannot find any indication that the bosh configuration for saml_auth.ca_cert is getting into the configuration.

web/bf7bb21e-4bab-4d30-9397-7faf6aa166af:/var/vcap/sys/log/web# find /var/vcap/jobs/web/config
/var/vcap/jobs/web/config
/var/vcap/jobs/web/config/bpm.yml
/var/vcap/jobs/web/config/env
/var/vcap/jobs/web/config/env/CONCOURSE_SESSION_SIGNING_KEY
/var/vcap/jobs/web/config/env/CONCOURSE_TSA_AUTHORIZED_KEYS
/var/vcap/jobs/web/config/env/CONCOURSE_CREDHUB_CA_CERT
/var/vcap/jobs/web/config/env/CONCOURSE_TSA_HOST_KEY
web/bf7bb21e-4bab-4d30-9397-7faf6aa166af:/var/vcap/sys/log/web# grep -i saml /var/vcap/jobs/web/config/bpm.yml
    CONCOURSE_SAML_DISPLAY_NAME: "Okta"
    CONCOURSE_SAML_EMAIL_ATTR: "emailAddress"
    CONCOURSE_SAML_GROUPS_ATTR: "authorities"
    CONCOURSE_SAML_SSO_ISSUER: "<redacted>"
    CONCOURSE_SAML_SSO_URL: "<redacted>"
    CONCOURSE_SAML_USERNAME_ATTR: "uid"

Rui Yang · Answer 8 · Thu Jan 18 2024 10:38:01 GMT+0800 (China Standard Time)

For the certificate, based on https://github.com/concourse/concourse-bosh-release/blob/1dd7324ddeda3e028666ddb071db66fdca1f06de/jobs/web/templates/bpm.yml.erb#L1094 , you will need to do

saml_auth:
  ca_cert:
    certificate:

Since both saml URL and ca_cert are required, if one of them is missing, Concourse will consider this auth provider is not configured and ignore it.

viaxinel · Answer 9 · Fri Jan 19 2024 03:58:25 GMT+0800 (China Standard Time)

I will add that and test.

viaxinel · Answer 10 · Fri Jan 19 2024 04:07:27 GMT+0800 (China Standard Time)

That worked! I need to pay attention to the spec.
Thank you for the assist!