Awx: SAML Login error invalid_response request was received at incorrect port

Created on 24 Dec 2019  路  2Comments  路  Source: ansible/awx
ISSUE TYPE
  • Bug Report
SUMMARY

Hi there !
I'm trying to configure ADFS SAML for my AWX install, however, once my Service Provider and Identity provider setup, the login doesn't work due to an error : 

SAML login failed: ['invalid_response'] (The response was received at https://ansible-tower.cplus:8053/sso/complete/saml/ instead of https://ansible-tower.cplus/sso/complete/saml/
ENVIRONMENT
  • AWX version: 9.0.1
  • AWX install method: docker on linux
  • Operating System: Centos 7
  • Web Browser: Firefox / Chrome
STEPS TO REPRODUCE
  • Install AWX with docker and configure SAML
  • Try to login with saml
  • Enter your username / password if needed
  • get redirected to AWX login page without being authenticated
EXPECTED RESULTS
  • No error / Being authenticated
ACTUAL RESULTS
  • The following error appear in the logs : 
social Authentication failed: SAML login failed: ['invalid_response'] (The response was received at https://ansible-tower.cplus:8053/sso/complete/saml/ instead of https://ansible-tower.cplus/sso/complete/saml/).
ADDITIONAL INFORMATION

This error is similar to https://github.com/ansible/awx/issues/1016
The problem being that the solution doesn't apply with the newest version of AWX

As I understand, I need to have an X-Forwarded-Port configured somewhere, but it already seem to be there in the nginx.conf file : 

        location / {
            # Add trailing / if missing
            rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
            uwsgi_read_timeout 120s;
            uwsgi_pass uwsgi;
            include /etc/nginx/uwsgi_params;            proxy_set_header X-Forwarded-Port 443;

Thanks

bug
Source
picture loitho

All 2 comments

So, I found the solution :

you can either :

  • Change the configuration so that Nginx listens on the 443 port (and modify the docker compose accordingly) That's the "easy" way but I tried to understand how to make it work with the default configuration.
  • Or you can leave the default port configuration, and just modify the nginx.conf that's in the "docker_compose_dir" option
    Simply add the following line to the "location /" part :
    > uwsgi_param HTTP_X_FORWARDED_PORT 443;

And off you go. The error :

The response was received at https://XXXXX:8053/sso/complete/saml/ instead of https://XXXXX/sso/complete/saml/

Should be gone.
I'm attaching my nginx.conf so that you can check it out (it's the AWS 9.0.1 default file, just with the line addition)

#user awx;

worker_processes  1;

pid        /tmp/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    server_tokens off;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log /dev/stdout main;

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    sendfile        on;
    #tcp_nopush     on;
    #gzip  on;

    upstream uwsgi {
        server 127.0.0.1:8050;
        }

    upstream daphne {
        server 127.0.0.1:8051;
    }

        server {
        listen 8052 default_server;
        server_name _;

        # Redirect all HTTP links to the matching HTTPS page
        return 301 https://$host$request_uri;
    }

    server {
#        listen 443 ssl;
        listen 8053 ssl;

        ssl_certificate /etc/nginx/awxweb.pem;
        ssl_certificate_key /etc/nginx/awxweb.pem;

        # If you have a domain name, this is where to add it
        server_name _;
        keepalive_timeout 65;

        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
        add_header Strict-Transport-Security max-age=15768000;
        add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
        add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";

        # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
        add_header X-Frame-Options "DENY";

        location /nginx_status {
          stub_status on;
          access_log off;
          allow 127.0.0.1;
          deny all;
        }

        location /static/ {
            alias /var/lib/awx/public/static/;
        }

        location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; }

        location /websocket {
            # Pass request to the upstream alias
            proxy_pass http://daphne;
            # Require http version 1.1 to allow for upgrade requests
            proxy_http_version 1.1;
            # We want proxy_buffering off for proxying to websockets.
            proxy_buffering off;
            # http://en.wikipedia.org/wiki/X-Forwarded-For
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            # enable this if you use HTTPS:
            proxy_set_header X-Forwarded-Proto https;
            # pass the Host: header from the client for the sake of redirects
            proxy_set_header Host $http_host;
            # We've set the Host header, so we don't need Nginx to muddle
            # about with redirects
            proxy_redirect off;
            # Depending on the request value, set the Upgrade and
            # connection headers
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }

        location / {
            # Add trailing / if missing
            rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
            uwsgi_read_timeout 120s;
            uwsgi_pass uwsgi;
            include /etc/nginx/uwsgi_params;

            proxy_set_header X-Forwarded-Port 443;
           # that's the important bit
            uwsgi_param HTTP_X_FORWARDED_PORT 443;
        }
    }
}

I haven't seen much ADFS SAML configuration available and since I had quite some trouble setting it up, I'm also adding my ADFS configuration for "SAML ENABLED IDENTITY PROVIDERS" 

{
 "saml_ms_adfs": {
  "attr_last_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
  "entity_id": "http://signin.server.com/adfs/services/trust",
  "x509cert": "<redacted>",
  "url": "https://signin.server.com/adfs/ls/",
  "attr_username": "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
  "attr_email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
  "attr_first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
  "attr_user_permanent_id": "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"
 }
}

Big thanks to this thread : https://github.com/pallets/werkzeug/issues/1465#issuecomment-469722847 for the enlightenment

I'll try to do a PR request and see if that can be added by default :)

loitho picture loitho on 27 Dec 2019
👍1

@loitho thanks for investigating this and contributing a patch - I'm merging it shortly and closing this.

ryanpetrello picture ryanpetrello on 3 Jan 2020
🎉1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

marshmalien picture marshmalien  路  3Comments
astraios picture astraios  路  3Comments
IshwarKanse picture IshwarKanse  路  3Comments
icsm2017 picture icsm2017  路  4Comments
gamuniz picture gamuniz  路  3Comments