ERR_TOO_MANY_REDIRECTS with Single-Sign-On on Azure Web App

info727 · September 11, 2017, 9:44am

I’m trying to deploy an Identity Provider on Azure Web App.
When trying to access the identity provider, it correctly redirects me to /idp on the same server, but it looks like it continues to redirect forever to
“https://domain.com/identities/idp/?sp=https%3A%2F%2Fdomain.com%2Fidentities%2F”.
I can’t even access https://domain.com/identities/idp directly

Here are the properties I’m using:


&#91;'cuba.automaticDatabaseUpdate' : true,
'cuba.idp.serviceProviderUrls' : "https://domain.com/identities/, https://domain.com/board/, https://domain.com/board/",
'cuba.idp.serviceProviderLogoutUrls' : "https://domain.com/identities/dispatch/idpc/logout, https://domain.com/board/dispatch/idpc/logout, https://domain.com/board/dispatch/idpc/logout",
'cuba.idp.trustedServicePassword' : "pass",

'cuba.web.externalAuthentication' : true,
'cuba.web.externalAuthenticationProviderClass' : "com.haulmont.cuba.web.auth.IdpAuthProvider",
'cuba.web.idp.baseUrl' : "https://domain.com/identities/idp/",
'cuba.web.idp.trustedServicePassword' : "pass",
'cuba.webAppUrl' : "https://domain.com/identities/"

domain.com is the correct domain of the identity provider.

The Azure Web app configuration is as follow:

Latest Tomcat 8.5
Java 8
Platform 64bit
Web Socket: yes
Always online: yes

Locally, a similar configuration is working ok

info727 · September 11, 2017, 9:47am

There are extraneuos “;” after the urls, they’re added by the forum parser and are not present in the original configuration.
Also, ignore the double domain.com/board in cuba.idp.serviceProviderUrls, they’re actually two different domains

artamonov · September 11, 2017, 12:32pm

Hi,

How do you deploy your applications to Azure Web? Do you use WAR / Single WAR deployment?

info727 · September 11, 2017, 12:39pm

Yes, that’s correct

artamonov · September 11, 2017, 12:40pm

Sorry, What deployment option do you use: WAR or Single WAR deployment ?

info727 · September 11, 2017, 12:43pm

Sorry, I used Single WAR first and tried the two wars afterward

artamonov · September 11, 2017, 12:45pm

As for Single WAR, IDP is currently unsupported for this deployment option: https://youtrack.cuba-platform.com/issue/PL-9427 We will implement it in the upcoming release 6.7.

Could you check your application with 2 separate WAR files ?

info727 · September 11, 2017, 1:10pm

I’m having the same problem with the two WARs

info727 · September 11, 2017, 1:13pm

I’m on 6.5.7 by the way, don’t know if it could be a problem

info727 · September 11, 2017, 2:39pm

I tried configuring it not to use https. Now I get “IDP server error, please see server log for details”.
Logs attached. Can’t find any error inside.

catalina.2017-09-11.log (17.0K)

localhost.2017-09-11.log (1.0K)

info727 · September 11, 2017, 3:09pm

Bumping for the attached logs

artamonov · September 11, 2017, 4:16pm

Unfortunately, there is no useful information in the logs. Is there app.log file in your logs directory?

We will try to reproduce the problem with 2 wars in Azure Web in a couple of days. If you have any additional details on your deployment please share them.

Also, I see that you use “JVM by: Azul Systems, Inc.”. We do not test our deployments with Azul and it may cause additional issues. I’d recommend that you use OpenJDK or OracleJDK builds if your application does require any specific features of this JVM.

Please note that we do not use order of topics on forum to prioritize them, thus “bumping” threads does not make any sense, such a messages only produce additional noise on forum.

info727 · September 11, 2017, 4:24pm

Sorry for the misunderstanding, the bump was not intended as a way to prioritize the thread. I added the logs editing the original answer (instead of adding another answer) so I wasn’t sure you would see them
The Azul JVM is the default provided by Azure Web Apps, and there is no app.log
Thank you very much for the assistance

artamonov · September 12, 2017, 7:24pm

I’ve checked Azure defaults of Azure Web applications and want to ask you details of your virtual network. IDP SSO feature of the platform uses direct server-to-server connection between IDP and Services to send authentication and account data. Could you please check if your VMs is accessible for each-other? Unfortunately, Azure requires paid account to check all the details of Azure Web deployment, so we cannot freely check it.

If you are interested in the additional help from our side we will be happy to provide direct assistance. You can find details on Consulting and Support via this link High productivity application development platform

artamonov · September 13, 2017, 5:55am

As for logs, do you use custom logging settings?

info727 · September 13, 2017, 8:52am

I’m not using any custom logging settings I’m aware of. Do you intend on Azure or on Cuba? Everything is default by the way. I’m getting the logs from the “LogFiles” directory set up by Azure Web app service.
The IDP installation I’m trying is standalone, so there are not multiple VMs involved. The error comes from using the same Cuba deployment both as IDP and Service - I’m basically just trying to log in on the Identity provider.
To be sure it wasn’t any error in configuring Cuba, I got it working on a docker container with Bitnami Tomcat docker image. I will try deploying the container today. Also, in both tests I’m using the same cloud database.

artamonov · September 13, 2017, 2:40pm

If you use default logging settings I’d strongly recommend that you set up logback.xml configuration in your Tomcat, since by default WARs will contain default logback.xml with logging to CONSOLE only, thus you will not be able to figure out what’s wrong with the application. See this description: Setting up Logging in Tomcat - CUBA Platform. Developer’s Manual

You can copy logback.xml from your local tomcat instance and specify its location in setenv.sh:


CATALINA_OPTS="-Xmx512m -Dfile.encoding=UTF-8"
CATALINA_OPTS="$CATALINA_OPTS -Dlogback.configurationFile=../conf/logback.xml"

After you configure your logging we can check if there are any problems with IDP setup.

info727 · September 14, 2017, 1:31pm

I finally managed to get it working changing the approach.
Since Azure Web App doesn’t allow Tomcat configuration by default, I had to create a custom Docker image to use the Web App service. I integrated some suggestion found at [url=https://www.road-to-cuba-and-beyond.com/put-a-island-into-a-box-how-to-dockerize-your-cuba-app/]https://www.road-to-cuba-and-beyond.com/put-a-island-into-a-box-how-to-dockerize-your-cuba-app/[/url], then made some customizations for the Azure infrastructure (for example, to allow getting the logs from the Docker container).
The particular issue I was having was resolved adding

<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" proxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" />

inside the localhost section in server.xml. May it be an useful addition to the default server.xml?

I made a GitHub repository with the docker image here:
[url=https://github.com/gmlion/docker-cuba]https://github.com/gmlion/docker-cuba[/url]

artamonov · September 14, 2017, 1:51pm

Hi,

Good to hear that you set up the configuration.

Thank you for sharing your solution! It is definitely useful for the community.

info727 · September 14, 2017, 4:41pm

Sadly I was only able to log on the IDP itself, but logging from the other Service providers is not working.
You said “IDP SSO feature of the platform uses direct server-to-server connection between IDP and Services to send authentication and account data.”

Could you elaborate a bit on that? Are there ports you need access on the IDP, or both IDP and service?