SAML authentication not appearing on 7.11.0
jhohiii opened this issue · comments
Summary
Configured SAML authentication on 7.11.0 using the BOSH release. The option to perform SAML authentication does not appear on the login page. No errors in the log. Environment variables are present.
Steps to reproduce
Configure web.properties.saml_auth in deployment manifest.
saml_auth:
display_name: Okta
sso_url: https://<redacted>
sso_issuer: http://<redacted>
ca_cert: |
-----BEGIN CERTIFICATE-----
<redacted>
-----END CERTIFICATE-----
username_attr: uid
email_attr: emailAddress
groups_attr: authorities
Deploy:
Using environment '10.51.17.15' as client 'admin'
Using deployment 'c4platform'
Release 'bpm/1.1.21' already exists.
Release 'postgres/44' already exists.
Release 'concourse/7.11.0' already exists.
instance_groups:
- name: web
jobs:
- name: web
properties:
+ saml_auth:
+ ca_cert: "<redacted>"
+ display_name: "<redacted>"
+ email_attr: "<redacted>"
+ groups_attr: "<redacted>"
+ sso_issuer: "<redacted>"
+ sso_url: "<redacted>"
+ username_attr: "<redacted>"
Continue? [yN]: y
Task 1569134
Task 1569134 | 20:54:10 | Preparing deployment: Preparing deployment (00:00:01)
Task 1569134 | 20:54:11 | Preparing deployment: Rendering templates (00:00:01)
Task 1569134 | 20:54:12 | Preparing package compilation: Finding packages to compile (00:00:00)
Task 1569134 | 20:54:13 | Updating instance web: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:15 | L executing pre-stop: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:15 | L executing drain: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:16 | L stopping jobs: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:18 | L executing post-stop: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:26 | L installing packages: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:27 | L configuring jobs: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:27 | L executing pre-start: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:28 | L starting jobs: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary)
Task 1569134 | 20:54:29 | L executing post-start: web/bf7bb21e-4bab-4d30-9397-7faf6aa166af (0) (canary) (00:00:16)
Task 1569134 | 20:54:29 | Updating instance web: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:30 | L executing pre-stop: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:30 | L executing drain: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:31 | L stopping jobs: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:33 | L executing post-stop: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:41 | L installing packages: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:42 | L configuring jobs: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:42 | L executing pre-start: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:43 | L starting jobs: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1)
Task 1569134 | 20:54:45 | L executing post-start: web/23e39028-95d7-4bd8-b524-a6b471f912b5 (1) (00:00:17)
Task 1569134 Started Wed Jan 10 20:54:10 UTC 2024
Task 1569134 Finished Wed Jan 10 20:54:46 UTC 2024
Task 1569134 Duration 00:00:36
Task 1569134 done
Succeeded
Verify CONCOURSE_SAML* environment variables are present on the web PID
web/23e39028-95d7-4bd8-b524-a6b471f912b5:~# ps -ef | grep web | grep -Ev 'grep|tini' | awk '{print $2}' | while read mypid ; do strings /proc/$mypid/environ | grep CONCOURSE_SAML ; done
CONCOURSE_SAML_DISPLAY_NAME=Okta
CONCOURSE_SAML_SSO_ISSUER=<redacted>
CONCOURSE_SAML_GROUPS_ATTR=authorities
CONCOURSE_SAML_SSO_URL=<redacted>
CONCOURSE_SAML_EMAIL_ATTR=emailAddress
CONCOURSE_SAML_USERNAME_ATTR=uid
Attempt to login using the Okta option in the login screen
Expected results
The presence of an 'Okta' button in the login screen that redirects to Okta and performs SAML handshake/authentication
Actual results
No 'Okta' option on the login screen.
curl https://concourse-platform-1.gaig.com/sky/issuer/auth
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>Concourse</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<script type="text/javascript">
if (String(performance.getEntriesByType("navigation")[0].type) === "back_forward") {
location.reload()
}
</script>
<link href="https://github.com/concourse/concourse/issues/static/main.css" target="_blank" rel="nofollow" rel="stylesheet">
<link href="theme/styles.css" rel="stylesheet">
<link rel="icon" href="theme/favicon.png">
</head>
<body class="theme-body">
<div class="theme-navbar">
<a class="theme-navbar__logo-wrap" href="/">
<img class="theme-navbar__logo" src="theme/logo.svg">
</a>
</div>
<div class="dex-container">
<div class="theme-panel">
<h2 class="theme-heading">login to Concourse </h2>
<div>
<div class="theme-form-row">
<a href="/sky/issuer/auth/cloudfoundry" target="_self">
<button class="dex-btn theme-btn-provider">
<span class="dex-btn-icon dex-btn-icon--cloudfoundry"></span>
<span class="dex-btn-text">CloudFoundry</span>
</button>
</a>
</div>
<div class="theme-form-row">
<a href="/sky/issuer/auth/local" target="_self">
<button class="dex-btn theme-btn-provider">
<span class="dex-btn-icon dex-btn-icon--local"></span>
<span class="dex-btn-text">Username/Password</span>
</button>
</a>
</div>
</div>
</div>
</div>
</body>
</html>
Additional context
Triaging info
- Concourse version: 7.11.0
- Browser (if applicable): Multiple - Chrome (current), Firefox
- Did this used to work? Never tried - but others seem to have used Okta/SAML before based on the history
I have also reproduced this behavior on a BOSH deployment of 7.8.2 - same configuration.
Hi, what is the web node log output about auth config in the beginning? Also, is your deployment configured with both SAML and cloudfoundry provider?
@xtremerui Yes, the deployment has both CF and SAML configured.
I can't find any log lines in web.stdout.log referencing 'auth' during a 'monit stop web' followed by a 'monit start web'. Do I need to turn on additional logging or look somewhere else?
yes the log level needs to be debug
. https://github.com/concourse/concourse-bosh-release/blob/master/jobs/web/spec#L147
As a test, I removed the cf_auth
section of our deployment yaml, redeployed. Still no SAML and no errors. I will enable debug logging and post back.
Enabled debug. Redeployed. Checked web.stdout.log and web.stderr.log and found nothing related to 'auth' or 'saml'. It's like web is just ignoring the directives for saml_auth.
The web.stdout.log had debug logs during this period, so I know that the debug logging directive was working.
@xtremerui
I cannot find any indication that the bosh configuration for saml_auth.ca_cert is getting into the configuration.
web/bf7bb21e-4bab-4d30-9397-7faf6aa166af:/var/vcap/sys/log/web# find /var/vcap/jobs/web/config
/var/vcap/jobs/web/config
/var/vcap/jobs/web/config/bpm.yml
/var/vcap/jobs/web/config/env
/var/vcap/jobs/web/config/env/CONCOURSE_SESSION_SIGNING_KEY
/var/vcap/jobs/web/config/env/CONCOURSE_TSA_AUTHORIZED_KEYS
/var/vcap/jobs/web/config/env/CONCOURSE_CREDHUB_CA_CERT
/var/vcap/jobs/web/config/env/CONCOURSE_TSA_HOST_KEY
web/bf7bb21e-4bab-4d30-9397-7faf6aa166af:/var/vcap/sys/log/web# grep -i saml /var/vcap/jobs/web/config/bpm.yml
CONCOURSE_SAML_DISPLAY_NAME: "Okta"
CONCOURSE_SAML_EMAIL_ATTR: "emailAddress"
CONCOURSE_SAML_GROUPS_ATTR: "authorities"
CONCOURSE_SAML_SSO_ISSUER: "<redacted>"
CONCOURSE_SAML_SSO_URL: "<redacted>"
CONCOURSE_SAML_USERNAME_ATTR: "uid"
For the certificate, based on https://github.com/concourse/concourse-bosh-release/blob/1dd7324ddeda3e028666ddb071db66fdca1f06de/jobs/web/templates/bpm.yml.erb#L1094 , you will need to do
saml_auth:
ca_cert:
certificate:
Since both saml URL and ca_cert are required, if one of them is missing, Concourse will consider this auth provider is not configured and ignore it.
I will add that and test.
That worked! I need to pay attention to the spec.
Thank you for the assist!