Project

General

Profile

Actions
Copy link

Bug #62034

open

mgr/dashboard: Infinite Dashboard 404 Loop On Failed SAML Authentication

Added by Lukas M 10 months ago. Updated 8 months ago.

Status:
Triaged
Priority:
Normal
Assignee:
Nizamudeen A
Category:
-
Target version:
-
% Done:

0%

Source:
Tags:
Backport:
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

Description of problem

I have the same problem as the author of https://www.mail-archive.com/ceph-users@ceph.io/msg14112.html. SAML-enabled dashboard does 404 redirect loop if the user does not exist. At least for Auth0 provider ( there is a free tier available, anyone can test this )

Environment

  • ceph version string: quincy
  • Platform (OS/distro/release): Ubuntu 22.04
  • Cluster details (nodes, monitors, OSDs): Single node installation
  • Did it happen on a stable environment or after a migration/upgrade?:
  • Browser used (e.g.: Version 86.0.4240.198 (Official Build) (64-bit)): Chrome

How reproducible

Steps:

1. Create Auth0 application ; Enable SAML; Use https://ceph.example.com/auth/saml2 as redirect URI
2. Enable SAML in dashboard: ceph dashboard sso setup saml2 \
https://ceph.example.com \
https://example.eu.auth0.com/samlp/metadata/14LDzuhXRxiVwu1gGwBguV4o8HbqJcO2 \
http://schemas.auth0.com/nickname

Actual results

Infinite Dashboard 404 Loop On Failed SAML Authentication

Expected results

The user is auto-created from SAML provider.

Additional info

None

Actions
Copy link
 #1

Updated by Lukas M 10 months ago

The same behavior for Keycloak 22.0.1, make sure You are not logging in with the default admin user of Keycloak because admin users also exists in Ceph dashboard. Correct reproducer would be with different Keycloak user other than admin, for example test.

Another thing is that there is no point for specifying password for ceph user when using SSO ( ceph dashboard ac-user-create user -i password.file test ). I would expect to be able to skip setting password, for example ceph dashboard ac-user-create user --skip-password administrator

Thanks

Actions
Copy link
 #2

Updated by Pedro González Gómez 8 months ago

  • Status changed from New to Triaged
  • Assignee set to Nizamudeen A
Actions
Copy link
 #3

Updated by Sake Paulusma 8 months ago

We're also having the loop issue with PingFederate. If the user doesn't exist in the Dashboard, visiting the Dashboard URL results in a infinite loop.

Actions
Copy link

Also available in: Atom PDF