search

awslabs / service-workbench-on-aws

A platform that provides researchers with one-click access to collaborative workspace environments operating across teams, universities, and datasets while enabling university IT stakeholders to manage, monitor, and control spending, apply security best practices, and comply with corporate governance.
Apache License 2.0
178 stars 119 forks source link

Azure AD Federated Integration #1145

Open krupeshd1 opened 1 year ago

krupeshd1 commented 1 year ago

What's on your mind? Hello SWB Team,

The manual creation of the Cognito requires many options that are not specifically called out in the service workbench configuration guide - can you provide what options we should be seeing - an initial test for me returned the following from "/service-workbench-on-aws/scripts/get-relying-party-info.sh dev" - i truncated some parts so its easier to read - in addition the documentation refers to this script which seems like its been renamed - scripts/get-relying-party.sh - i see the None urls too -

STAGE supplied as command line argument: dev Using configuration file: /home/ec2-user/source/service-workbench-on-aws/main/config/settings/dev.yml Read configuration value: awsProfile = test-swb Read configuration value: awsRegion = us-east-1 Read configuration value: solutionName = test

Summary:

User Pool Id : us-east-1_Ljdlfjlsadjf Relying Party Id (Cognito User Pool URN) : urn:amazon:cognito:sp:us-east-1_Ljdlfjlsadjf (Login) SAML Assersion Consumer Endpoint : https://None.auth.us-east-1.amazoncognito.com/saml2/idpresponse (Logout) SAML Logout Endpoint : https://None.auth.us-east-1.amazoncognito.com/saml2/logout User Pool Signing Cert : MIICvDCCAaSgAwIBAgIIUJXYu4SmDakwDQYJKoZIhvcNAQELBQAwHjEcMBoGA1UEAwwTdXMtZWFzdC0xX0x4U3Mwa0pTVTAeFw0yMzSolution : cnh Environment Name : dev

Versions (please complete the following information):

Regards, Krupesh

maghirardelli commented 1 year ago

Hi @krupeshd1 ! I don't believe the None URLs are expected. Have you checked out the Active Directory documentation?

Thanks, Marianna

krupeshd1 commented 1 year ago

Just a note the documentation for Azure AD integration - Service_Workbench_Configuration_Guide.pdf - actually says to create the Cognito pool manually - I assume thats in case the integration was needed after the SWB was launched - it would still be nice to have it updated unless i read it wrong -

krupeshd1 commented 1 year ago

Thank you for the above information - we went ahead and did the integration, added a federated user as an admin - selecting the appropriate authentication and logging in to Service workbench returns the following error after the login request - trying to load the service workbench parts:

We have a problem Failed to fetch

See if refreshing the browser will resolve your issue

SanketD92 commented 1 year ago

Hi @krupeshd1, could you provide some error details regarding this from CloudWatch log groups <namespace>-apiHandler and <namespace>-backend-RoleAuthenticationLayerHandle ?

krupeshd1 commented 1 year ago

Hey Sanket, I did not look at the contents of this but take a look at let me know if it has what you need - if not i can send you more -

Regards, Krupesh 000000 (1).gz 000000.gz

krupeshd1 commented 1 year ago

Hey SWB Team,

Do we have any update from the above issue?

Regards, Krupesh

krupeshd1 commented 1 year ago

Hey SWB Team,

Any updates on this?

Regards, Krupesh

kpark277 commented 1 year ago

Hi @krupeshd1, thank you for providing your logs! We will take a look into what may be causing the issue; we are currently not sure why your username is coming in as undefined. Could you add log lines to make sure that a username is getting passed when a login is attempted? Can you also verify that the user actually exists in the IdP and verify that it was added to the Cognito User Pool?

krupeshd1 commented 1 year ago

I gave you the logs - what else are you looking for?

Here is the user that was created on SWB - through Users -> Add Federated User -> kderashri@cnmc.org - this created CNH-Azure_kderashri@cnmc.org -

I login with the same credentials to other applications - keep in mind as per the instructions in documentation the primary domain for this Azure AD side is CNMC.onmicrosoft.com as the identifier -

Regards, Krupesh

maghirardelli commented 1 year ago

Hi @krupeshd1! I see the logs you sent, but I cannot see within them an error message that would help us identify what is going on. Can you also verify that the user actually exists in the IdP and verify that it was added to the Cognito User Pool?

And Kevin was suggesting you add console.log() statements within the code around the source of the issue if you can to help you debug why this is not working properly.

Thanks, Marianna

krupeshd1 commented 1 year ago

Hi @krupeshd1! I see the logs you sent, but I cannot see within them an error message that would help us identify what is going on. Can you also verify that the user actually exists in the IdP and verify that it was added to the Cognito User Pool?

And Kevin was suggesting you add console.log() statements within the code around the source of the issue if you can to help you debug why this is not working properly.

Thanks, Marianna

Hey Marianna,

You have to be more prescriptive here to tell me what you need me to do -

Regards, Krupesh

krupeshd1 commented 1 year ago

I gave you the logs - what else are you looking for?

Here is the user that was created on SWB - through Users -> Add Federated User -> kderashri@cnmc.org - this created CNH-Azure_kderashri@cnmc.org -

I login with the same credentials to other applications - keep in mind as per the instructions in documentation the primary domain for this Azure AD side is CNMC.onmicrosoft.com as the identifier -

Regards, Krupesh

I gave you the logs - what else are you looking for?

Here is the user that was created on SWB - through Users -> Add Federated User -> kderashri@cnmc.org - this created CNH-Azure_kderashri@cnmc.org -

I login with the same credentials to other applications - keep in mind as per the instructions in documentation the primary domain for this Azure AD side is CNMC.onmicrosoft.com as the identifier -

Hey Marianna,

You have to be more prescriptive about console.log to tell me what you need me to do -

Regards, Krupesh

krupeshd1 commented 1 year ago

These are the claims:

MicrosoftTeams-image

maghirardelli commented 1 year ago

This is what I see in the logs as the root problem:

2023-03-24T16:42:54.131Z 2023-03-24T16:42:54.131Z   b0f9c26a-0bed-40dd-9c4a-e14069dfe2f6    INFO    {
  "solutionName": "cnh-swb",
  "envType": "prod",
  "envName": "cnh-swb",
  "logLevel": "info",
  "msg": "authentication error for <anonymous>/https://cognito-idp.us-east-1.amazonaws.com/us-east-1_winWM75Sf: ValidationException: Invalid KeyConditionExpression: An expression attribute value used in expression is not defined; attribute value: :username"
}

2023-03-24T16:42:54.131Z 2023-03-24T16:42:54.131Z   b0f9c26a-0bed-40dd-9c4a-e14069dfe2f6    ERROR   Invoke Error    {"errorType":"Error","errorMessage":"Unauthorized","stack":["Error: Unauthorized","    at newUnauthorizedError (/var/task/src/lambdas/authentication-layer-handler/webpack:/src/lambdas/authentication-layer-handler/apigw.js:53:36)","    at /var/task/src/lambdas/authentication-layer-handler/webpack:/src/lambdas/authentication-layer-handler/handler-impl.js:65:13","    at processTicksAndRejections (node:internal/process/task_queues:96:5)"]}

Is that your understand that this is the root error too?

Also, what version of SWB are you working in?

krupeshd1 commented 1 year ago

This is what I see in the logs as the root problem:

2023-03-24T16:42:54.131Z 2023-03-24T16:42:54.131Z b0f9c26a-0bed-40dd-9c4a-e14069dfe2f6    INFO    {
  "solutionName": "cnh-swb",
  "envType": "prod",
  "envName": "cnh-swb",
  "logLevel": "info",
  "msg": "authentication error for <anonymous>/https://cognito-idp.us-east-1.amazonaws.com/us-east-1_winWM75Sf: ValidationException: Invalid KeyConditionExpression: An expression attribute value used in expression is not defined; attribute value: :username"
}

2023-03-24T16:42:54.131Z 2023-03-24T16:42:54.131Z b0f9c26a-0bed-40dd-9c4a-e14069dfe2f6    ERROR   Invoke Error    {"errorType":"Error","errorMessage":"Unauthorized","stack":["Error: Unauthorized","    at newUnauthorizedError (/var/task/src/lambdas/authentication-layer-handler/webpack:/src/lambdas/authentication-layer-handler/apigw.js:53:36)","    at /var/task/src/lambdas/authentication-layer-handler/webpack:/src/lambdas/authentication-layer-handler/handler-impl.js:65:13","    at processTicksAndRejections (node:internal/process/task_queues:96:5)"]}

Is that your understand that this is the root error too?

Also, what version of SWB are you working in?

Hey Marianna,

The latest SWB i believe - That is the error I saw as well - but not sure what or where this may be failing -

In terms of flow - here is a summary - may be it rings a bell -

  1. Go to the SWB URL (CloudFront)
  2. Login page displayed - give me a choice of - "Cognito Native Pool" and "Login using CNH Azure AD"
  3. Native login works and logs me in
  4. "Login using CNH Azure AD" redirects to login.microsoft.com - i login with the kder...@cnmc.org account - Asks for my password
  5. Redirects back to SWB (Just wait a few seconds message on the page) and fails

Another thing i would like to say is - user on Azure side is kder....@cnmc.org, the primary identity on Cognito is cnmc.onmicrosoft.com, but there is going to be no user kder....@cnmc.onmicrosoft.com - not sure if the application is looking for that? Just giving ideas -

Regards, Krupesh

krupeshd1 commented 1 year ago

Hey SWB Team,

What are our next steps? Did you see my comment above - does it help?

Regards, Krupesh

krupeshd1 commented 1 year ago

We tried with some other users and it seems like they get in - so its a couple of users having this issue - i am having someone at the Azure AD side look -