Pivotal Knowledge Base

Follow

Proxy settings cause SAML authentication to stop working

Environment

  • Pivotal Cloud Foundry© (PCF) 1.11
  • Operations Manager 1.11

Symptom

After upgrading to PCF 1.11, SAML authentication stops working for OpsManager.

An HTTP proxy is configured in OpsManager.

Error Message:

OpsMgr: /tmp/logs/production.log shows:

(cloudfoundry) Client: opsman auth_server: https://<opsmgr>:443/uaa token_server: http://127.0.0.1:8080/uaa

CF::UAA::BadResponse (received invalid response content or type): lib/rack/streaming.rb:63:in `call'

Cause

httpclient ruby gem is picking up the proxy from the os settings. This causes token request for SAML to get forwarded to the defined http proxy.

This may occur starting in 1.11 due to the uaac library being upgraded in OpsManager to one that moved to ruby `httpclient`, which in some function calls will import the os proxy settings. This change has presented a change in behavior in 1.11 version.

Resolution

The solution is either to disable the HTTP proxy or add 127.0.0.1 (localhost) to no_proxy list and this will workaround the problem.

  1. You can place OpsManager into recovery mode by following article: https://discuss.pivotal.io/hc/en-us/articles/228508167-How-to-Recover-Operations-Manager-Admin-Password
  2. Goto OpsManager > Settings (in upper right hand corner) > Proxy Settings.
  3. Add 127.0.0.1 to No Proxy list. Click Update.
  4. Take OpsManager out of rescue mode.
  5. Retry authentication with SAML. It should now work.

Additional Information 

Full production.log error message:

Started GET "/" for 130.42.62.206 at 2017-08-01 16:32:51 +0000
Processing by MainController#show as HTML
Redirected to https://opsmgr.pcfpre-phx.cloud.boeing.com/login/ensure_availability
Filter chain halted as :require_valid_uaa_token! rendered or redirected
Completed 302 Found in 3ms (ActiveRecord: 0.8ms)
Started GET "/login/ensure_availability" for 130.42.62.206 at 2017-08-01 16:32:51 +0000
Processing by LoginController#ensure_availability as HTML
Checking whether UAA is available at http://127.0.0.1:8080/uaa/healthz ...
Got a response from UAA: #<Net::HTTPOK 200 OK readbody=true>
Redirected to https://opsmgr.pcfpre-phx.cloud.boeing.com/auth/cloudfoundry
Completed 302 Found in 12ms (ActiveRecord: 0.8ms)
Started GET "/auth/cloudfoundry" for 130.42.62.206 at 2017-08-01 16:32:51 +0000
(cloudfoundry) Setup endpoint detected, running now.
(cloudfoundry) Request phase initiated.
(cloudfoundry) Client: opsman auth_server: https://opsmgr.pcfpre-phx.cloud.boeing.com:443/uaa token_server: http://127.0.0.1:8080/uaa
(cloudfoundry) Redirect URI https://opsmgr.pcfpre-phx.cloud.boeing.com:443/uaa/oauth/authorize?client_id=opsman&response_type=code&redirect_uri=https%3A%2F%2Fopsmgr.pcfpre-phx.cloud.boeing.com%2Fauth%2Fcloudfoundry%2Fcallback&state=1f63a2ec211ceabe3a0e3c94a4390263&nonce=1f63a2ec211ceabe3a0e3c94a4390263
Started GET "/auth/cloudfoundry/callback?code=R9Dmenma5M&state=1f63a2ec211ceabe3a0e3c94a4390263" for 130.42.62.206 at 2017-08-01 16:32:51 +0000
(cloudfoundry) Setup endpoint detected, running now.
(cloudfoundry) Callback phase initiated.
(cloudfoundry) In callback phase code=R9Dmenma5M&state=1f63a2ec211ceabe3a0e3c94a4390263
(cloudfoundry) Fetching access token
(cloudfoundry) Client: opsman auth_server: https://opsmgr.pcfpre-phx.cloud.boeing.com:443/uaa token_server: http://127.0.0.1:8080/uaa

CF::UAA::BadResponse (received invalid response content or type):
lib/rack/streaming.rb:63:in `call' 

Comments

Powered by Zendesk