Actually, one other question occurred to me: Was your testing environment bare metal or a cephadm containerized install? It shouldn't matter, and I don't know that it does matter, but my environment is containerized. -- Edward Huyer -----Original Message----- From: Edward R Huyer [mailto:erhvks@xxxxxxx] Sent: Tuesday, January 11, 2022 11:50 AM To: Ernesto Puerta <epuertat@xxxxxxxxxx> Cc: ceph-users@xxxxxxx Subject: Re: Infinite Dashboard 404 Loop On Failed SAML Authentication Hmm, ok. It might be specific to Shib. I’ll investigate more. Thank you for checking. -- Edward Huyer Interactive Games and Media Department Golisano 70-2375 102 Lomb Memorial Drive Rochester, NY 14623 585-475-6651 erhvks@xxxxxxx<mailto:erhvks@xxxxxxx> Obligatory Legalese: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. From: Ernesto Puerta [mailto:epuertat@xxxxxxxxxx] Sent: Tuesday, January 11, 2022 11:25 AM To: Edward R Huyer <erhvks@xxxxxxx> Cc: ceph-users@xxxxxxx Subject: Re: Infinite Dashboard 404 Loop On Failed SAML Authentication Hi Edward, I tried to reproduce the issue (with Keycloak instead of Shibboleth) and I couldn't. After logging in with user credentials that only exists in the SSO service, I end up in the Dashboard's /auth/saml2 URL with the following error message: {"is_authenticated": false, "errors": ["invalid_response"], "reason": "A valid SubjectConfirmation was not found on this Response"} Perhaps this behaviour is specific to Shibboleth, or depends on the initial URL you used (since that's saved in the URL for the post-login redirection). At least with the root URL I couldn't hit it. If you want to add more info about a reproducer, please report a new Dashboard issue here<https://tracker.ceph.com/projects/dashboard/issues/new>. Thanks! Kind Regards, Ernesto On Thu, Jan 6, 2022 at 5:18 PM Edward R Huyer <erhvks@xxxxxxx<mailto:erhvks@xxxxxxx>> wrote: Ok, I think I've nearly got the dashboard working with SAML/Shibboleth authentication, except for one thing: If a user authenticates via SAML, but a corresponding dashboard user hasn't been created, it triggers a loop where the browser gets redirected to a nonexistent dashboard unauthorized page, then to a nonexistent dashboard 404 page, then back to the Shibboleth authentication page (which succeeds instantly), then back to the unauthorized page, etc. On a fast machine and network, this loops very quickly and thrashes the authentication server. I haven't found a way to fix it. It looks sort of like a bug to me? Any suggestions? ----- Edward Huyer Golisano College of Computing and Information Sciences Rochester Institute of Technology Golisano 70-2373 152 Lomb Memorial Drive Rochester, NY 14623 585-475-6651 erhvks@xxxxxxx<mailto:erhvks@xxxxxxx><mailto:erhvks@xxxxxxx<mailto:erhvks@xxxxxxx>> Obligatory Legalese: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information. _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx<mailto:ceph-users@xxxxxxx> To unsubscribe send an email to ceph-users-leave@xxxxxxx<mailto:ceph-users-leave@xxxxxxx> _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |