Hi Edward,
I tried to reproduce the issue (with Keycloak instead of Shibboleth) and I
couldn't. After logging in with user credentials that only exists in the
SSO service, I end up in the Dashboard's /auth/saml2 URL with the following
error message:
{"is_authenticated": false, "errors": ["invalid_response"], "reason": "A
valid SubjectConfirmation was not found on this Response"}
Perhaps this behaviour is specific to Shibboleth, or depends on the initial
URL you used (since that's saved in the URL for the post-login
redirection). At least with the root URL I couldn't hit it.
If you want to add more info about a reproducer, please report a new
Dashboard issue here
<https://tracker.ceph.com/projects/dashboard/issues/new>.
Thanks!
Kind Regards,
Ernesto
On Thu, Jan 6, 2022 at 5:18 PM Edward R Huyer <erhvks@xxxxxxx> wrote:
> Ok, I think I've nearly got the dashboard working with SAML/Shibboleth
> authentication, except for one thing: If a user authenticates via SAML,
> but a corresponding dashboard user hasn't been created, it triggers a loop
> where the browser gets redirected to a nonexistent dashboard unauthorized
> page, then to a nonexistent dashboard 404 page, then back to the Shibboleth
> authentication page (which succeeds instantly), then back to the
> unauthorized page, etc.
>
> On a fast machine and network, this loops very quickly and thrashes the
> authentication server. I haven't found a way to fix it. It looks sort of
> like a bug to me?
>
> Any suggestions?
>
> -----
> Edward Huyer
> Golisano College of Computing and Information Sciences
> Rochester Institute of Technology
> Golisano 70-2373
> 152 Lomb Memorial Drive
> Rochester, NY 14623
> 585-475-6651
> erhvks@xxxxxxx<mailto:erhvks@xxxxxxx>
>
> Obligatory Legalese:
> The information transmitted, including attachments, is intended only for
> the person(s) or entity to which it is addressed and may contain
> confidential and/or privileged material. Any review, retransmission,
> dissemination or other use of, or taking of any action in reliance upon
> this information by persons or entities other than the intended recipient
> is prohibited. If you received this in error, please contact the sender and
> destroy any copies of this information.
>
> _______________________________________________
> ceph-users mailing list -- ceph-users@xxxxxxx
> To unsubscribe send an email to ceph-users-leave@xxxxxxx
>
>
_______________________________________________
ceph-users mailing list -- ceph-users@xxxxxxx
To unsubscribe send an email to ceph-users-leave@xxxxxxx
