Open krupeshd1 opened 1 year ago
Hi @krupeshd1 ! I don't believe the None
URLs are expected. Have you checked out the Active Directory documentation?
Thanks, Marianna
Just a note the documentation for Azure AD integration - Service_Workbench_Configuration_Guide.pdf - actually says to create the Cognito pool manually - I assume thats in case the integration was needed after the SWB was launched - it would still be nice to have it updated unless i read it wrong -
Thank you for the above information - we went ahead and did the integration, added a federated user as an admin - selecting the appropriate authentication and logging in to Service workbench returns the following error after the login request - trying to load the service workbench parts:
We have a problem Failed to fetch
See if refreshing the browser will resolve your issue
Hi @krupeshd1, could you provide some error details regarding this from CloudWatch log groups <namespace>-apiHandler
and <namespace>-backend-RoleAuthenticationLayerHandle
?
Hey Sanket, I did not look at the contents of this but take a look at let me know if it has what you need - if not i can send you more -
Regards, Krupesh 000000 (1).gz 000000.gz
Hey SWB Team,
Do we have any update from the above issue?
Regards, Krupesh
Hey SWB Team,
Any updates on this?
Regards, Krupesh
Hi @krupeshd1, thank you for providing your logs! We will take a look into what may be causing the issue; we are currently not sure why your username is coming in as undefined. Could you add log lines to make sure that a username is getting passed when a login is attempted? Can you also verify that the user actually exists in the IdP and verify that it was added to the Cognito User Pool?
I gave you the logs - what else are you looking for?
Here is the user that was created on SWB - through Users -> Add Federated User -> kderashri@cnmc.org - this created CNH-Azure_kderashri@cnmc.org -
I login with the same credentials to other applications - keep in mind as per the instructions in documentation the primary domain for this Azure AD side is CNMC.onmicrosoft.com as the identifier -
Regards, Krupesh
Hi @krupeshd1! I see the logs you sent, but I cannot see within them an error message that would help us identify what is going on. Can you also verify that the user actually exists in the IdP and verify that it was added to the Cognito User Pool?
And Kevin was suggesting you add console.log()
statements within the code around the source of the issue if you can to help you debug why this is not working properly.
Thanks, Marianna
Hi @krupeshd1! I see the logs you sent, but I cannot see within them an error message that would help us identify what is going on. Can you also verify that the user actually exists in the IdP and verify that it was added to the Cognito User Pool?
And Kevin was suggesting you add
console.log()
statements within the code around the source of the issue if you can to help you debug why this is not working properly.Thanks, Marianna
Hey Marianna,
You have to be more prescriptive here to tell me what you need me to do -
Regards, Krupesh
I gave you the logs - what else are you looking for?
Here is the user that was created on SWB - through Users -> Add Federated User -> kderashri@cnmc.org - this created CNH-Azure_kderashri@cnmc.org -
I login with the same credentials to other applications - keep in mind as per the instructions in documentation the primary domain for this Azure AD side is CNMC.onmicrosoft.com as the identifier -
Regards, Krupesh
I gave you the logs - what else are you looking for?
Here is the user that was created on SWB - through Users -> Add Federated User -> kderashri@cnmc.org - this created CNH-Azure_kderashri@cnmc.org -
I login with the same credentials to other applications - keep in mind as per the instructions in documentation the primary domain for this Azure AD side is CNMC.onmicrosoft.com as the identifier -
Hey Marianna,
You have to be more prescriptive about console.log to tell me what you need me to do -
Regards, Krupesh
These are the claims:
This is what I see in the logs as the root problem:
2023-03-24T16:42:54.131Z 2023-03-24T16:42:54.131Z b0f9c26a-0bed-40dd-9c4a-e14069dfe2f6 INFO {
"solutionName": "cnh-swb",
"envType": "prod",
"envName": "cnh-swb",
"logLevel": "info",
"msg": "authentication error for <anonymous>/https://cognito-idp.us-east-1.amazonaws.com/us-east-1_winWM75Sf: ValidationException: Invalid KeyConditionExpression: An expression attribute value used in expression is not defined; attribute value: :username"
}
2023-03-24T16:42:54.131Z 2023-03-24T16:42:54.131Z b0f9c26a-0bed-40dd-9c4a-e14069dfe2f6 ERROR Invoke Error {"errorType":"Error","errorMessage":"Unauthorized","stack":["Error: Unauthorized"," at newUnauthorizedError (/var/task/src/lambdas/authentication-layer-handler/webpack:/src/lambdas/authentication-layer-handler/apigw.js:53:36)"," at /var/task/src/lambdas/authentication-layer-handler/webpack:/src/lambdas/authentication-layer-handler/handler-impl.js:65:13"," at processTicksAndRejections (node:internal/process/task_queues:96:5)"]}
Is that your understand that this is the root error too?
Also, what version of SWB are you working in?
This is what I see in the logs as the root problem:
2023-03-24T16:42:54.131Z 2023-03-24T16:42:54.131Z b0f9c26a-0bed-40dd-9c4a-e14069dfe2f6 INFO { "solutionName": "cnh-swb", "envType": "prod", "envName": "cnh-swb", "logLevel": "info", "msg": "authentication error for <anonymous>/https://cognito-idp.us-east-1.amazonaws.com/us-east-1_winWM75Sf: ValidationException: Invalid KeyConditionExpression: An expression attribute value used in expression is not defined; attribute value: :username" } 2023-03-24T16:42:54.131Z 2023-03-24T16:42:54.131Z b0f9c26a-0bed-40dd-9c4a-e14069dfe2f6 ERROR Invoke Error {"errorType":"Error","errorMessage":"Unauthorized","stack":["Error: Unauthorized"," at newUnauthorizedError (/var/task/src/lambdas/authentication-layer-handler/webpack:/src/lambdas/authentication-layer-handler/apigw.js:53:36)"," at /var/task/src/lambdas/authentication-layer-handler/webpack:/src/lambdas/authentication-layer-handler/handler-impl.js:65:13"," at processTicksAndRejections (node:internal/process/task_queues:96:5)"]}
Is that your understand that this is the root error too?
Also, what version of SWB are you working in?
Hey Marianna,
The latest SWB i believe - That is the error I saw as well - but not sure what or where this may be failing -
In terms of flow - here is a summary - may be it rings a bell -
Another thing i would like to say is - user on Azure side is kder....@cnmc.org, the primary identity on Cognito is cnmc.onmicrosoft.com, but there is going to be no user kder....@cnmc.onmicrosoft.com - not sure if the application is looking for that? Just giving ideas -
Regards, Krupesh
Hey SWB Team,
What are our next steps? Did you see my comment above - does it help?
Regards, Krupesh
We tried with some other users and it seems like they get in - so its a couple of users having this issue - i am having someone at the Azure AD side look -
What's on your mind? Hello SWB Team,
The manual creation of the Cognito requires many options that are not specifically called out in the service workbench configuration guide - can you provide what options we should be seeing - an initial test for me returned the following from "/service-workbench-on-aws/scripts/get-relying-party-info.sh dev" - i truncated some parts so its easier to read - in addition the documentation refers to this script which seems like its been renamed - scripts/get-relying-party.sh - i see the None urls too -
STAGE supplied as command line argument: dev Using configuration file: /home/ec2-user/source/service-workbench-on-aws/main/config/settings/dev.yml Read configuration value: awsProfile = test-swb Read configuration value: awsRegion = us-east-1 Read configuration value: solutionName = test
Summary:
User Pool Id : us-east-1_Ljdlfjlsadjf Relying Party Id (Cognito User Pool URN) : urn:amazon:cognito:sp:us-east-1_Ljdlfjlsadjf (Login) SAML Assersion Consumer Endpoint : https://None.auth.us-east-1.amazoncognito.com/saml2/idpresponse (Logout) SAML Logout Endpoint : https://None.auth.us-east-1.amazoncognito.com/saml2/logout User Pool Signing Cert : MIICvDCCAaSgAwIBAgIIUJXYu4SmDakwDQYJKoZIhvcNAQELBQAwHjEcMBoGA1UEAwwTdXMtZWFzdC0xX0x4U3Mwa0pTVTAeFw0yMzSolution : cnh Environment Name : dev
Versions (please complete the following information):
Regards, Krupesh