rancher: SAML - Authentication pop up always show 404 on HA Rancher installs

What kind of request is this: Bug

Steps to reproduce:

Only reproduces on HA setups

  • Install Rancher HA RKE
  • As admin go and try to enable a SAML based auth. I used Okta and Keycloak
  • After entering the correct credentials the popup should redirect to Rancher and self close it.

Result:

Instead the pop up shows a 404 Page Not Found

Screen Shot 2021-02-05 at 10 20 11 AM

Other details that may be helpful:

This is only reproducible in HA, Single Docker install works.

Not much info in logs

2021/02/05 17:05:03 [TRACE] REST GET apis/management.cattle.io/v3//tokens/token-rmlwj
2021/02/05 17:05:03 [DEBUG] Triggering auth refresh on user-855c9
2021/02/05 17:05:03 [DEBUG] Skipping refresh for user-855c9 due to max-age
2021/02/05 17:05:03 [TRACE] GET: 9.215187ms, authconfigs
2021/02/05 17:05:07 [DEBUG] Wrote ping
2021/02/05 17:05:07 [DEBUG] Wrote ping
2021/02/05 17:05:07 [DEBUG] Wrote ping
2021/02/05 17:05:07 [DEBUG] Wrote ping
2021/02/05 17:05:08 [DEBUG] Wrote ping
2021/02/05 17:05:08 [DEBUG] Wrote ping
2021/02/05 17:05:11 [TRACE] REST GET apis/management.cattle.io/v3//tokens/token-rmlwj
2021/02/05 17:05:11 [DEBUG] Triggering auth refresh on user-855c9
2021/02/05 17:05:11 [DEBUG] Skipping refresh for user-855c9 due to max-age
2021/02/05 17:05:11 [TRACE] GET: 25.752975ms, authconfigs
2021/02/05 17:05:11 [TRACE] REST UPDATE api//v1/cattle-global-data/secrets/keycloakconfig-spkey
2021/02/05 17:05:11 [TRACE] GET: 13.81793ms, authconfigs
2021/02/05 17:05:11 [TRACE] GET: 15.836876ms, authconfigs
2021/02/05 17:05:11 [TRACE] REST GET apis/management.cattle.io/v3//tokens/token-rmlwj
2021/02/05 17:05:11 [DEBUG] Triggering auth refresh on user-855c9
2021/02/05 17:05:11 [DEBUG] Skipping refresh for user-855c9 due to max-age
2021/02/05 17:05:11 [TRACE] GET: 3.488143ms, authconfigs
2021/02/05 17:05:11 [TRACE] REST GET apis/management.cattle.io/v3//authconfigs/keycloak
2021/02/05 17:05:11 [TRACE] REST GET api//v1/cattle-global-data/secrets/keycloakconfig-spkey
2021/02/05 17:05:12 [DEBUG] Wrote ping
2021/02/05 17:05:12 [DEBUG] Wrote ping
2021/02/05 17:05:12 [TRACE] REST GET apis/management.cattle.io/v3//tokens/token-rmlwj
2021/02/05 17:05:12 [DEBUG] Triggering auth refresh on user-855c9
2021/02/05 17:05:12 [DEBUG] Skipping refresh for user-855c9 due to max-age
2021/02/05 17:05:12 [DEBUG] Wrote ping
2021/02/05 17:05:12 [DEBUG] Wrote ping
2021/02/05 17:05:13 [DEBUG] Wrote ping
2021/02/05 17:05:13 [DEBUG] Wrote ping
2021/02/05 17:05:13 [TRACE] REST LIST api//v1//componentstatuses

Environment information

  • Rancher version:
    • master-head (02/05/2021) fbe2c30
    • v2.5-head (02/05/2021) 8201e08
  • Installation option: HA

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 17 (10 by maintainers)

Most upvoted comments

@I have no objections. It’s listed in the published release note and is also linked to from the original PR if we need to track it from GH.

+1
martyav on Oct 4, 2023

Hi all !

i was solved this problem, maybe it’s not cause by rancher server. Problem is the LoadBalancer or Ingress Controller, in my case and most systems use NGINX Ingress, we must add this annotation to fix this

ingress:
  extraAnnotations:
    nginx.ingress.kubernetes.io/affinity: cookie
    nginx.ingress.kubernetes.io/affinity-mode: persistent
    nginx.ingress.kubernetes.io/session-cookie-name: route

and then, we can scale Rancher Server to replicas=3 or more than !

+1
scila1996 on Jul 17, 2021
Read more comments on GitHub
← rancher: Runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized
rancher: serving-cert expired →