Identity Manager 2.7 and Access Point 2.7, cannot ...

VirtualSven · ‎08-23-2016

I have an issue with Identity Manager 2.7 and Access Point 2.7. When a user tries to login through the Access Point, the login hangs. I see a rotating cursor-thingie in the middle. When I enter an incorrect password, I get the response immediately. The certificate seems to be correct on the Access Point, the users get to the login-screen of the portal.

Anyone have got this configuration working? Configuration of the Access Point:

"Identifier": "WEB_REVERSE_PROXY",

"enabled": true,

"proxyDestinationURL": "https://vidmserver.example.com",

"proxyPattern": "(/|/SAAS(.*)|/hc(.*)|/web(.*)|/catalog-portal(.*))",

"authCookie": "HZN",

"loginRedirectURL": "/SAAS/auth/login?dest=%s"

Sven Huisman VMware vExpert 2009-2016 Twitter: @svenh blog: svenhuisman.com

RGEORGET · ‎10-12-2016

Hello,

I get a similar problem : once the login and password are sent, the login hangs.

Tough, when I reload the page the page, the user gets authenticated (only if one authentication factor)

If i have two auth factors, the login fails

Best regards,

chadc1979 · ‎10-21-2016

Anyone get anywhere with this issue? I am experiencing the same thing, I imagine it's in the unSecurePattern or proxyPattern. I tried with and without the leading ( and ending ) in the documentation and still no luck. I did see errors in the audit log on vIDM that requests had been denied for malformed url, I'm thinking the list is either messed up or missing something.

chadc1979 · ‎10-22-2016

Well I managed to get around the issue by deploying additional Access Points just for Identity Manager, I don't think it plays well trying to use a single Access Point for both View and Identity Manager.

Here is what I ended up using and so far so good and remember the admin functions won't work externally!

{
"identifier": "WEB_REVERSE_PROXY",
"enabled": true,
"proxyDestinationUrl": "https://workspace.example.com:443",
"healthCheckUrl": "/favicon.ico",
"proxyPattern": "/|/SAAS(.*)|/hc(.*)|/web(.*)|/catalog-portal(.*)",
"unSecurePattern": "/catalog-portal(.*)|/|/SAAS/|/SAAS|/SAAS/API/1.0/GET/image(.*)|/SAAS/horizon/css(.*)|/SAAS/horizon/angular(.*)|/SAAS/horizon/js(.*)|/SAAS/horizon/js-lib(.*)|/SAAS/auth/login(.*)|/SAAS/jersey/manager/api/branding|/SAAS/horizon/images/(.*)|/SAAS/jersey/manager/api/images/(.*)|/hc/(.*)/authenticate/(.*)|/hc/static/(.*)|/SAAS/auth/saml/response|/SAAS/auth/authenticatedUserDispatcher|/web(.*)|/SAAS/apps/|/SAAS/horizon/portal/(.*)|/SAAS/horizon/fonts(.*)|/SAAS/API/1.0/POST/sso(.*)|/SAAS/API/1.0/REST/system/info(.*)|/SAAS/API/1.0/REST/auth/cert(.*)|/SAAS/API/1.0/REST/oauth2/activate(.*)|/SAAS/API/1.0/GET/user/devices/register(.*)|/SAAS/API/1.0/oauth2/token(.*)|/SAAS/API/1.0/REST/oauth2/session(.*)|/SAAS/API/1.0/REST/user/resources(.*)|/hc/t/(.*)/(.*)/authenticate(.*)|/SAAS/API/1.0/REST/auth/logout(.*)|/SAAS/auth/saml/response(.*)|/SAAS/(.*)/(.*)auth/login(.*)|/SAAS/API/1.0/GET/apps/launch(.*)|/SAAS/API/1.0/REST/user/applications(.*)|/SAAS/auth/federation/sso(.*)|/SAAS/auth/oauth2/authorize(.*)|/hc/prepareSaml/failure(.*)|/SAAS/auth/oauthtoken(.*)|/SAAS/API/1.0/GET/metadata/idp.xml|/SAAS/auth/saml/artifact/resolve(.*)|/hc/(.*)/authAdapter(.*)|/hc/authenticate/(.*)|/SAAS/auth/logout|/SAAS/common.js|/SAAS/auth/launchInput(.*)|/SAAS/launchUsersApplication.do(.*)|/hc/API/1.0/REST/thinapp/download(.*)|/hc/t/(.*)/(.*)/logout(.*)",
"authCookie": "HZN",
"loginRedirectURL": "/SAAS/auth/login?dest=%s"
}

{
"locale": "en_US",
"adminPassword": "*****",
"cipherSuites": "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA",
"honorCipherOrder": false,
"ssl30Enabled": false,
"tls10Enabled": false,
"tls11Enabled": true,
"tls12Enabled": true,
"healthCheckUrl": "/favicon.ico",
"cookiesToBeCached": "none",
"ipMode": "STATICV4",
"sessionTimeout": 36000000,
"quiesceMode": false,
"monitorInterval": 60
}

opie81 · ‎02-06-2017

It seems like this is still a problem with Access Point 2.8. After looking at what is being sent and received we are noticing that the HZN cookie is not getting set when accessing through the Access Point.

opie81 · ‎02-06-2017

The spinning circle issue is most likely related to the HZN cookie not getting passed to the Identity Manager from the Access Point. I discovered that the default setting for cookiesToBeCached to be set to *. This blocks the HZN cookie from getting passed and why if the powershell script is used for deployment the login process works without issue due to the setting "cookiesToBeCached": "none". I will have to do more testing but I believe that this is the problem that everyone is having.

Nick

ShadyMalatawey · ‎03-27-2017

Hi All,

Actually, I deployed pair of APs behind a LB using PowerShell script, not OVF Tool. I used both of them for both of Identity Manager and View entry point.

I attached the swagger UI json parameters used of mine after sanitizing it.

HTH.

Sincerely, Shady Ali El-Malatawey MCITP: Virtualization Administration 2008 VCP5-DCV/DT --- VCAP5-DCA/DCD @ShadyMalatawey https://virtualpharaohs.com

All

Identity Manager 2.7 and Access Point 2.7, cannot login