Closed korede-ola closed 2 years ago
When does the 404 occur? On login attempt or on loading login page?
We currently have an open issue #159 If the VECTR instance can't load the Metadata URL or other URLs necessary for SSO Auth completely breaks and fails to load. Sounds like it could be this issue. Can you check your container logs for errors and network connectivity?
The 404 occurs whenever I attempt to reach https://
Data in .env all comply with points raised in issues 159. However, reset the initial values for VECTR_DATA_KEY and APP_Name they were non-alphanumeric and something outside Vectr respectively.
Will rebuilding then restarting the docker instances after modifying the env creds rule out any issue in the .env file?
VECTR_DATA_KEY can't be changed after initial setup. Changing this will void the instances ability to read the database.
The APP_Name issue is still outstanding and will hopefully be fixed in the next release.
If you've got no data in the instance you care about the best method is to blow away your volumes, reset your .env to as many defaults as you can and reenroll your SSO application. If it still works we can eliminate the potential networking aspect.
This is a fresh install so there are no holdbacks regarding the overhaul. Might be missing the step/command syntax to make this work without impacting existing apps on the host if that is something you can put me in the right direction with, assuming I want to undo and redo
Do you have other docker containers running on the host?
docker-compose down
Should tear down the containers then you'll need to remove the volumes as they persist. If it's not attached a prune should suffice.
docker volume prune
If you do have other workloads on the host I wouldn't recommend using a prune as you might remove data from other containers not currently running. You'd have to remove the VECTR ones manually.
Prune - That fixed persistence issue for the containers. Now defaulted to the original issue very similar to #159 where configuring Azure AD provider gets stuck at claims mapping with a generic "Uh oh, something didn't go right. Please try again. If the error persists, please open an issue on GitHub" My VECTR_DATA_KEY is set and APP_NAME is reverted to VECTR
If everything is defaulted and you're still encountering an issue during enrollment it likely means there's a networking issue trying to communicate with the SSO provider. I'd check the container logs, resources here https://docs.docker.com/engine/reference/commandline/logs/
We've got a release due out in the new few weeks to make some improvements in this area and may provide an easier troubleshooting experience if you still experience issues.
It doesn't appear to be a bug from the info we have, so our ability to provide SSO support for community users is limited. If you find anything of note in your container logs feel free to post it here.
Running the docker logs --follow command for realtime outputs, this continue print even when JWT (JWS_KEY) is confirmed
@oakey1 it's a bit difficult to tell what's going on with the standard logging. In your .env
file, can you set VECTR_CONTAINER_LOG_LEVEL
to DEBUG
. If you can provide the full log from when you try to log into SSO to when you get the 404 that would be great (redacting any sensitive data).
Where you able to setup SSO after rebuilding the containers? At which point do you get the 404 now? Does it occur after you initiate SSO from the VECTR login page or does it happen after you've logged into your identity provider and when it redirects back to VECTR?
@oakey1 the 8.3.0 release is out with several auth and SSO improvements. I'd give it a try with this new build.
After updating to 8.3.0 and giving the Azure AD IDP option a shot, currently seeing a different error referencing how Host:login.mircrosoftonline.com is unreachable for claims mapping
There's either a typo in the URL field or there's a networking issue. Firewalls, limited egress, hard to say. It can't communicate with Azure.
There's either a typo in the URL field or there's a networking issue. Firewalls, limited egress, hard to say. It can't communicate with Azure.
Yet to find a smoking gun but here's a sanitized full stacktrace incase something jumps out:
2022-03-23 12:28:56,840 DEBUG [org.apache.commons.beanutils.converters.StringConverter] - Converting 'com.sra.auth.model.enums.AuthnProtocol' value 'AZURE_AD_OIDC' to type 'String'
2022-03-23 12:28:56,840 DEBUG [org.apache.commons.beanutils.converters.StringConverter] - Converting 'com.sra.auth.model.enums.AuthnProtocol' value 'AZURE_AD_OIDC' to type 'String'
2022-03-23 12:28:56,842 DEBUG [org.apache.commons.beanutils.converters.StringConverter] - Converting 'com.sra.auth.model.enums.AuthnProtocol' value 'AZURE_AD_OIDC' to type 'String'
2022-03-23 12:28:56,842 DEBUG [org.apache.commons.beanutils.converters.StringConverter] - Converting 'String' value 'tenant_id' to type 'String'
2022-03-23 12:28:56,842 DEBUG [org.apache.commons.beanutils.converters.StringConverter] - Converting 'String' value 'app_id' to type 'String'
2022-03-23 12:28:56,842 DEBUG [org.apache.commons.beanutils.converters.StringConverter] - Converting 'String' value 'sec' to type 'String'
2022-03-23 12:29:16,862 ERROR [com.sra.auth.web.service.IdentityProviderService] - Unable to add provider: Vectr_SSO
2022-03-23 12:29:16,862 DEBUG [com.sra.auth.web.service.IdentityProviderService] - exception
org.pac4j.core.exception.TechnicalException: java.net.UnknownHostException: login.microsoftonline.com
at org.pac4j.oidc.config.OidcConfiguration.internalInit(OidcConfiguration.java:164) ~[pac4j-oidc-4.5.4.jar:?]
at org.pac4j.oidc.config.AzureAdOidcConfiguration.internalInit(AzureAdOidcConfiguration.java:49) ~[pac4j-oidc-4.5.4.jar:?]
at org.pac4j.core.util.InitializableObject.init(InitializableObject.java:20) ~[pac4j-core-4.5.4.jar:?]
at org.pac4j.oidc.config.OidcConfiguration.findProviderMetadata(OidcConfiguration.java:177) ~[pac4j-oidc-4.5.4.jar:?]
at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.
Also getting failure audit logs at inconsistent time intervals in Azure AD with error code 90094. Error keeps firing even after admin consent is granted on the app in AAD
Near the bottom looks pretty smoking gun to me.
2022-03-23 12:29:16,864 DEBUG [org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver] - Resolved [org.springframework.web.client.HttpClientErrorException: 400 Unable to find host: login.microsoftonline.com. Make sure your VECTR instance can reach this host.]
It's DNS, it can't resolve login.microsoftonline.com
@oakey1 Could be a DNS issue as @SRAPSpencer mentioned. Are you using a proxy to connect to the outside? If yes, you'll need to configure the JVM proxy. See #163
Separate note, the stack trace appears that you are having issues adding the SSO provider in VECTR, however, you also mention that you are trying to log into VECTR via SSO. Are you trying to access VECTR from Azure AD (i.e. IdP initiated flow)? If yes, two issues with that:
Following up on this since the issue persists.
A few tests we ran didn't point to any issue around DNS: curl -k -L https://login.microsoftonline.com/ on the host resolves the content behind the scenes as expected.
We are not using any proxies on this box.
The stack trace provided is the event generated while attempting to integrate SSO with Vectr using Azure AD. Azure portal is setup but but clearly the Vectr instances cannot reach the AAD portal as no Sign-in failures under usage and insights are getting logged.
How can we have these connections spot-checked?
@oakey1 I'm not sure we have anything else to recommend. If you'd like we can jump on a quick call to go over the situation to ensure everything on the VECTR end is working correctly.
Email us at vectrops@securityriskadvisors.com so we can set something up.
Issue was underlying networking issue with RHEL + Docker. Not specific to VECTR.
Similar issues.
Appears to be a unique issue since i'm not seeing any similar issues raised.
After registering vectr in AAD and completing the SSO claims mapping, sign in attempts now redirect to https:///sra-purpletools-webui/app/#/ with a vectr logo in the middle but "Failed with status code 404" right under.
Similar image as issue #171 except that it worked prior to setting up SSO. This is a RHEL