commvault.com commvault.com
Question

SAML SSO fails when access from Web Server.

  • 1 August 2023
  • 9 replies
  • 330 views
G
Rank
Badge +6

Stuck trying to get SAML SSO sorted in a test environment before moving into Prod.  Followed the procedure at Using Active Directory Federation Services as Your Identity Provider (commvault.com) and SSO for Command Center or Web Console works fine on every other machine bar the CommServe box hosting the webserver. It just prompts the authentication box 2 times before defaulting to non SSO.

Non SSO logins via domain creds work fine. CommCell browser DOES work fine using SSO on the web server box! It’s just browser access. Using LiveSync and failing over to the secondary CommServe results in the problem moving with web access restored on the previous primary server. The problem then afflicts the secondary (now primary. Tried running “in private” browser sessions and clearing cache with no result. What logs will monitor the transactions with the iDP to help me troubleshoot the issue. The Webserver logs show nothing.

9 replies

N
Rank
Userlevel 3
Badge +10

@Glenno 

Please create a support case to investigate this. We need to verify the configuration as well the logs.

G
Rank
Badge +6

@Navneet Singh indeed I would love to! Currently a proof of concept platform on an extended trial licence pending deployment of production system! No Commcell ID equals no way to log a case. Welcome to my world! :-)

Naresh G
Rank
Userlevel 1
Badge +3

Hi @Glenno,

 

Good day!

The SAML request must be recorded in the webserver.log and webconsole.log. Additionally we can enabled a SAML Tracer extension over your browse to trace the SAML requests.

https://chrome.google.com/webstore/detail/saml-tracer/mpdajninpobndbfcldcmbpnnbhibjmch

 

it would be required to validate how the SAML configuration is done in your environment and how the request is passed to the IDP as well to understand the issue better here. 

Which IDP is configured a SAML APP here?

Is it possible for you to attach some screenshot of the errors and the configuration in your environment?

 

Thanks,
Naresh G

G
Rank
Badge +6

@Naresh G greatly appreciate your reply. The IDP is ADFS and the configuration followed the previously provided link. I might be able to get some screen shots of logs. The system is airgapped. The error is just that the original authentication window that pops when enter the command center URL just returns after enter the user and password are entered. On any other machine the auth is accepted and the web page opens and credentials are populated and the user is logged in and landing page displays.  The server does not have Chrome installed but I may be able to resolve that problem if the tool you posted can be installed without the browser having direct access to the internet. 

Naresh G
Rank
Userlevel 1
Badge +3

@Glenno

Just wanted to confirm here, the SAML redirection is not happening and it just goes to normal webconsole login page and stays in the normal login page, is that correct? 

What happens if you try using the email address instead of the username during login attempt using SAML auth?

But on other machine, the login using SAML auth is working fine as expected, correct me if I am wrong?

If this is the case, i suspect the issue to be related to local cache on a the machine in which you are facing the issue. if not, then try upload some screenshot of the issue for better understanding. 

 

And if possible, try creating a new case with Eval CCID to have a look at the issue over remote session here . 

 

Thanks,
Naresh G

G
Rank
Badge +6

@Naresh G when selecting the favourite link for the command centre page the windows auth prompt is displayed not the sign in on the Commvault page. After 2 failed attempts it falls back to the command centre page with “try again or try without SSO”. Email addresses are not used in this environment and not set in the Trust relationship rules. Yes works perfectly on any other box other than the active web server including the inactive one! If use the Command Centre or Web Console shortcuts on the CommCell browser app it just logs straight in with no auth windows popped. Have tried clearing browsing history and in private sessions. Many thanks? 

Naresh G
Rank
Userlevel 1
Badge +3

@Glenno 

For your information, when the SAML app is configured properly and if you try login using the user, it must redirect to the IDP site for authentication and once authenticated, command center login will completes successfully. 

 

But as per your previous update, it does not look to be redirecting at all, hence I am suspecting that it is something with the configuration itself. But it will be required for us to review the configuration and environment for better understanding on the issue. 

 

Could you please use a Eval CCID or active CCID in your environment a create a new case by reaching out to our customer support?

So that we would be more happy to review the environment and help you proceeding further. 

 

Thanks

Naresh G

G
Rank
Badge +6

@Naresh G thanks for the reply. Will look at logging case. I checked the WebConsole log and found the following. There are no entries in the WebServer logs at same time. Note this only happens when trying to log in onto Command Centre or Web Console on the same box as the web server is currently running. Logging on anywhere else works fine so how a config issue? If move the active CommServe and web server via LiveSync the problem moves to the new server and access no problem on the old one.

 

Naresh G
Rank
Userlevel 1
Badge +3

@Glenno Thank you for the confirmation.

So here, the Commserver and webserver is on the same machine and logging from the same machine is not working as expected. But from other machine, it is working fine. 

  1. Please stop tomcat on the webserver and perform IISReset once. Start Tomcat service and try using command center again from a different browser.
  2. Add the webconsole URL to trusted sites in the server where you are facing issue and check once. 

if the issue persists, it is advised to log a case with us to review the environment and suggest accordingly. 

 

Thanks,

Naresh G

Reply


Terms & ConditionsCookie settings