configure prodigy for SSO

Princeton-CDH / ppa-nlp

Discovering patterns in poetry’s data with machine learning; software for use with Princeton Prosody Archive (PPA) full-text corpus

1 stars 0 forks source link

configure prodigy for SSO #47

Open jerielizabeth opened 1 month ago

jerielizabeth commented 1 month ago

[x] this is waiting on details from OIT ; Aaron has an open Service Now ticket requesting specifics on how to set this up
[x] follow up with PUL (Rebecca)
[x] open support request to with prodigy ask how to troubleshoot (post)
[x] test SSO without nginx in the loop to verify the authentication is working
[ ] email Prodigy screenshots and additional info (stuff in MS system and in our settings)

laurejt commented 1 month ago

In progress:

Currently, using Microsoft Entra for SSO via the OpenID Connect (OIDC). The SSO login appears to be "successful".
BUT we're getting an error based on the login callback. This appears to be caused by nginx rejecting the header due to too large of a header.

Debugging:

Following this support thread did not fix the error. We've excluded profile from the OIDC's required scopes via PRODIGY_OIDC_REQUIRED_SCOPES environment variable, but the headers are still being rejected for being too long.

rlskoeser commented 1 month ago

We tried disabling error handling on the load balancer in hopes it would help us see the actual error (we're getting a 502 gateway error), and limited to one server. The nginx logs on the prodigy staging server include this error:

2024/08/13 16:12:39 [error] 1171#1171: *210 upstream sent too big header while reading response header from upstream, client: 128.112.203.144, server: prodigy, request: "GET /login/callback?code=0.A [...]

Google searching suggested changing the proxy buffer size to handle the large response header, so I tried these configurations in the nginx site config where we proxy prodigy:

               proxy_buffer_size 16k;
                proxy_buffers 4 16k;
                proxy_busy_buffers_size 32k;

When I changed this I still saw temporary redirects without the too large error; it looked to me like it was redirecting multiple times between the login page and the callback page, suggesting perhaps that somehow prodigy didn't think I was logged in.

laurejt commented 1 month ago

We tried changing the proxy buffer size (as stated in the previous comment). Now, upon login we get (re)directed to a session hash, but then we're redirected to the /login page (so, login looping).

laurejt commented 1 month ago

Here's a support thread on converting the session "hashes" to usernames.

rlskoeser commented 3 weeks ago

A forum post @laurejt shared about running prodigy on multiple different ports jogged my memory - to test with taking nginx out of the loop, we could temporarily configure it to run on port 80 instead of 8080 and turn off nginx. However, we can't hit the test vm directly so I think we still need ssh with port forwarding so this part may not matter.

Here's an ssh command that I just tested that allows me to access prodigy directly (no nginx) on my local machine on port 80:

ssh -L 0.0.0.0:80:cdh-test-prodigy1:8080 pulsys@cdh-test-prodigy1

I think that port forwarding combined with a temporary edit of /etc/hosts to make localhost respond to the public url configured in the MS Entra auth setup should allow us to test the login without any nginx proxying complicating things.