Hi Edward, I used a containerized environment that most of the Ceph Dashboard team uses for daily development with a ready to use SSO deployment <https://github.com/rhcs-dashboard/ceph-dev#single-sign-on-sso>. Kind Regards, Ernesto On Tue, Jan 11, 2022 at 6:56 PM Edward R Huyer <erhvks@xxxxxxx> wrote: > Actually, one other question occurred to me: Was your testing environment > bare metal or a cephadm containerized install? It shouldn't matter, and I > don't know that it does matter, but my environment is containerized. > > -- > Edward Huyer > > -----Original Message----- > From: Edward R Huyer [mailto:erhvks@xxxxxxx] > Sent: Tuesday, January 11, 2022 11:50 AM > To: Ernesto Puerta <epuertat@xxxxxxxxxx> > Cc: ceph-users@xxxxxxx > Subject: Re: Infinite Dashboard 404 Loop On Failed SAML > Authentication > > Hmm, ok. It might be specific to Shib. I’ll investigate more. Thank you > for checking. > > -- > Edward Huyer > Interactive Games and Media Department > Golisano 70-2375 > 102 Lomb Memorial Drive > Rochester, NY 14623 > 585-475-6651 > erhvks@xxxxxxx<mailto:erhvks@xxxxxxx> > > Obligatory Legalese: The information transmitted, including attachments, > is intended only for the person(s) or entity to which it is addressed and > may contain confidential and/or privileged material. Any review, > retransmission, dissemination or other use of, or taking of any action in > reliance upon this information by persons or entities other than the > intended recipient is prohibited. If you received this in error, please > contact the sender and destroy any copies of this information. > > From: Ernesto Puerta [mailto:epuertat@xxxxxxxxxx] > Sent: Tuesday, January 11, 2022 11:25 AM > To: Edward R Huyer <erhvks@xxxxxxx> > Cc: ceph-users@xxxxxxx > Subject: Re: Infinite Dashboard 404 Loop On Failed SAML > Authentication > > Hi Edward, > > I tried to reproduce the issue (with Keycloak instead of Shibboleth) and I > couldn't. After logging in with user credentials that only exists in the > SSO service, I end up in the Dashboard's /auth/saml2 URL with the following > error message: > > {"is_authenticated": false, "errors": ["invalid_response"], "reason": "A > valid SubjectConfirmation was not found on this Response"} > > Perhaps this behaviour is specific to Shibboleth, or depends on the > initial URL you used (since that's saved in the URL for the post-login > redirection). At least with the root URL I couldn't hit it. > > If you want to add more info about a reproducer, please report a new > Dashboard issue here< > https://tracker.ceph.com/projects/dashboard/issues/new>. > > Thanks! > > Kind Regards, > Ernesto > > > On Thu, Jan 6, 2022 at 5:18 PM Edward R Huyer <erhvks@xxxxxxx<mailto: > erhvks@xxxxxxx>> wrote: > Ok, I think I've nearly got the dashboard working with SAML/Shibboleth > authentication, except for one thing: If a user authenticates via SAML, > but a corresponding dashboard user hasn't been created, it triggers a loop > where the browser gets redirected to a nonexistent dashboard unauthorized > page, then to a nonexistent dashboard 404 page, then back to the Shibboleth > authentication page (which succeeds instantly), then back to the > unauthorized page, etc. > > On a fast machine and network, this loops very quickly and thrashes the > authentication server. I haven't found a way to fix it. It looks sort of > like a bug to me? > > Any suggestions? > > ----- > Edward Huyer > Golisano College of Computing and Information Sciences Rochester Institute > of Technology Golisano 70-2373 > 152 Lomb Memorial Drive > Rochester, NY 14623 > 585-475-6651 > erhvks@xxxxxxx<mailto:erhvks@xxxxxxx><mailto:erhvks@xxxxxxx<mailto: > erhvks@xxxxxxx>> > > Obligatory Legalese: > The information transmitted, including attachments, is intended only for > the person(s) or entity to which it is addressed and may contain > confidential and/or privileged material. Any review, retransmission, > dissemination or other use of, or taking of any action in reliance upon > this information by persons or entities other than the intended recipient > is prohibited. If you received this in error, please contact the sender and > destroy any copies of this information. > > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx<mailto:ceph-users@xxxxxxx> > To unsubscribe send an email to ceph-users-leave@xxxxxxx<mailto: > ceph-users-leave@xxxxxxx> > _______________________________________________ > ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an > email to ceph-users-leave@xxxxxxx > _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |