ERR_TOO_MANY_REDIRECTS with Single-Sign-On on Azure Web App

I’m trying to deploy an Identity Provider on Azure Web App.
When trying to access the identity provider, it correctly redirects me to /idp on the same server, but it looks like it continues to redirect forever to
"https://domain.com/identities/idp/?sp=https%3A%2F%2Fdomain.com%2Fidentities%2F".
I can’t even access https://domain.com/identities/idp directly

Here are the properties I’m using:


['cuba.automaticDatabaseUpdate' : true,
'cuba.idp.serviceProviderUrls' : "https://domain.com/identities/, https://domain.com/board/, https://domain.com/board/",
'cuba.idp.serviceProviderLogoutUrls' : "https://domain.com/identities/dispatch/idpc/logout, https://domain.com/board/dispatch/idpc/logout, https://domain.com/board/dispatch/idpc/logout",
'cuba.idp.trustedServicePassword' : "pass",

'cuba.web.externalAuthentication' : true,
'cuba.web.externalAuthenticationProviderClass' : "com.haulmont.cuba.web.auth.IdpAuthProvider",
'cuba.web.idp.baseUrl' : "https://domain.com/identities/idp/",
'cuba.web.idp.trustedServicePassword' : "pass",
'cuba.webAppUrl' : "https://domain.com/identities/"

domain.com is the correct domain of the identity provider.

The Azure Web app configuration is as follow:

  • Latest Tomcat 8.5
  • Java 8
  • Platform 64bit
  • Web Socket: yes
  • Always online: yes

Locally, a similar configuration is working ok

There are extraneuos “;” after the urls, they’re added by the forum parser and are not present in the original configuration.
Also, ignore the double domain.com/board in cuba.idp.serviceProviderUrls, they’re actually two different domains

Hi,

How do you deploy your applications to Azure Web? Do you use WAR / Single WAR deployment?

Yes, that’s correct

Sorry, What deployment option do you use: WAR or Single WAR deployment ?

Sorry, I used Single WAR first and tried the two wars afterward

As for Single WAR, IDP is currently unsupported for this deployment option: https://youtrack.cuba-platform.com/issue/PL-9427 We will implement it in the upcoming release 6.7.

Could you check your application with 2 separate WAR files ?

I’m having the same problem with the two WARs

I’m on 6.5.7 by the way, don’t know if it could be a problem

I tried configuring it not to use https. Now I get “IDP server error, please see server log for details”.
Logs attached. Can’t find any error inside.

catalina.2017-09-11.log (17.0K)

localhost.2017-09-11.log (1.0K)

Bumping for the attached logs

Unfortunately, there is no useful information in the logs. Is there app.log file in your logs directory?

We will try to reproduce the problem with 2 wars in Azure Web in a couple of days. If you have any additional details on your deployment please share them.

Also, I see that you use “JVM by: Azul Systems, Inc.”. We do not test our deployments with Azul and it may cause additional issues. I’d recommend that you use OpenJDK or OracleJDK builds if your application does require any specific features of this JVM.

Please note that we do not use order of topics on forum to prioritize them, thus “bumping” threads does not make any sense, such a messages only produce additional noise on forum.

Sorry for the misunderstanding, the bump was not intended as a way to prioritize the thread. I added the logs editing the original answer (instead of adding another answer) so I wasn’t sure you would see them
The Azul JVM is the default provided by Azure Web Apps, and there is no app.log
Thank you very much for the assistance

I’ve checked Azure defaults of Azure Web applications and want to ask you details of your virtual network. IDP SSO feature of the platform uses direct server-to-server connection between IDP and Services to send authentication and account data. Could you please check if your VMs is accessible for each-other? Unfortunately, Azure requires paid account to check all the details of Azure Web deployment, so we cannot freely check it.

If you are interested in the additional help from our side we will be happy to provide direct assistance. You can find details on Consulting and Support via this link https://www.cuba-platform.com/consulting-and-development

As for logs, do you use custom logging settings?

I’m not using any custom logging settings I’m aware of. Do you intend on Azure or on Cuba? Everything is default by the way. I’m getting the logs from the “LogFiles” directory set up by Azure Web app service.
The IDP installation I’m trying is standalone, so there are not multiple VMs involved. The error comes from using the same Cuba deployment both as IDP and Service - I’m basically just trying to log in on the Identity provider.
To be sure it wasn’t any error in configuring Cuba, I got it working on a docker container with Bitnami Tomcat docker image. I will try deploying the container today. Also, in both tests I’m using the same cloud database.

If you use default logging settings I’d strongly recommend that you set up logback.xml configuration in your Tomcat, since by default WARs will contain default logback.xml with logging to CONSOLE only, thus you will not be able to figure out what’s wrong with the application. See this description: https://doc.cuba-platform.com/manual-6.6/logging_setup_tomcat.html

You can copy logback.xml from your local tomcat instance and specify its location in setenv.sh:


CATALINA_OPTS="-Xmx512m -Dfile.encoding=UTF-8"
CATALINA_OPTS="$CATALINA_OPTS -Dlogback.configurationFile=../conf/logback.xml"

After you configure your logging we can check if there are any problems with IDP setup.

I finally managed to get it working changing the approach.
Since Azure Web App doesn’t allow Tomcat configuration by default, I had to create a custom Docker image to use the Web App service. I integrated some suggestion found at https://www.road-to-cuba-and-beyond.com/put-a-island-into-a-box-how-to-dockerize-your-cuba-app/, then made some customizations for the Azure infrastructure (for example, to allow getting the logs from the Docker container).
The particular issue I was having was resolved adding

<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" />

inside the localhost section in server.xml. May it be an useful addition to the default server.xml?

I made a GitHub repository with the docker image here:
https://github.com/gmlion/docker-cuba

1 Like

Hi,

Good to hear that you set up the configuration.

Thank you for sharing your solution! It is definitely useful for the community.

1 Like

Sadly I was only able to log on the IDP itself, but logging from the other Service providers is not working.
You said “IDP SSO feature of the platform uses direct server-to-server connection between IDP and Services to send authentication and account data.”

Could you elaborate a bit on that? Are there ports you need access on the IDP, or both IDP and service?