Troubleshooting OIDC Authentication Issue with Datahub UI - SSO Integration Error

Original Slack Thread

Hello, wondering if I can get some help in UI issue.
I am running Datahub on EKS, and have the necessary services up and running - no issues in deploying nor any errors captured in the pods.
I am able to bring up the Datahub UI; however, I am getting the below error message when trying to login. I am using the OIDC Authentication specified in the docs, however, I am integration with an internal-to-my-company ADFS solution.

“Failed to redirect to Single Sign-On provider. Please contact your Datahub Administrator, or refer to server logs for more information”

The only error message I see is captured below - this error message is on the pod that runs the datahub-frontend service

ERROR controllers.AuthenticationController - Caught exception while attempting to redirect to SSO identity provider! It’s likely that SSO integration is mis-configured

When I look at the UI, I see the below error:
POST https:[datahub-endpoint]/track net:: ERR_ABORTED 401 (unauthorized)

Attached are some screenshots that can give further context. Any help/guidance is much appreciated, thank you!

Hmm- this looks like it could be a number of things. I would have to take a look at your configuration to debug!

any particular configs you’d want to look at? Just a note - I did convert the helm charts to kube files and apply those to the cluster

Here’s are the values that are passed into frontend service:![attachment]({‘ID’: ‘F07AU2U059A’, ‘EDITABLE’: True, ‘IS_EXTERNAL’: False, ‘USER_ID’: ‘U07AM09EQJH’, ‘CREATED’: ‘2024-07-02 17:39:17+00:00’, ‘PERMALINK’: ‘Slack’, ‘EXTERNAL_TYPE’: ‘’, ‘TIMESTAMPS’: ‘2024-07-02 17:39:17+00:00’, ‘MODE’: ‘snippet’, ‘DISPLAY_AS_BOT’: False, ‘PRETTY_TYPE’: ‘YAML’, ‘NAME’: ‘datahub-values-dev.yaml’, ‘IS_PUBLIC’: True, ‘PREVIEW_HIGHLIGHT’: ‘

​

datahub-frontend:

  ingress:

    enabled: true

    annotations:

Hi Heley, here’s what we usually see for ssoSettings (which should map to what you have set in extraEnvs via helm) for someone using Okta with group extraction enabled. As you’re using an internal SSO provider it may look a bit different but might be a good place to start

                    "enabled": true,
                    "clientId": "{redacted}",
                    "clientSecret": "{redacted}",
                    "discoveryUri": "https://{customer}.<http://okta.com/.well-known/openid-configuration|okta.com/.well-known/openid-configuration>",
                    "userNameClaim": "preferred_username",
                    "userNameClaimRegex": ".*",
                    "preferredJwsAlgorithm": null,
                    "scope": "openid profile email groups",
                    "clientAuthenticationMethod": "client_secret_basic",
                    "jitProvisioningEnabled": null,
                    "preProvisioningRequired": null,
                    "extractGroupsEnabled": true,
                    "groupsClaim": "groups",
                    "responseType": null,
                    "responseMode": null,
                    "useNonce": null,
                    "readTimeout": null,
                    "extractJwtAccessTokenClaims": null,
                    "__typename": "OidcSettings"
                },```

Thanks Ellie!

Also- another thing to look at Heley, is that often your SSO providers log a more informative error about why someone would be unauthorized. This is available to admins of your provider

thank you! let me take a look and get back to you!