Troubleshooting SSO Configuration Issue with Azure in DataHub v0.12.0

Original Slack Thread

Hi Team,

I am using DataHub v0.12.0

I am trying to configure SSO login with Azure, I have followed below documentation link to configure it and followed each step as is it is.
https://datahubproject.io/docs/authentication/guides/sso/configure-oidc-react-azure/

I am using Kubernetes to deploy DataHub, so I have added all the environment variable to .yaml file like below.

    extraEnvs:
    - name: AUTH_OIDC_ENABLED
      value: "true"
    - name: AUTH_OIDC_CLIENT_ID
      value: "a-3-v-s-s"
    - name: AUTH_OIDC_CLIENT_SECRET
      value: "Q~o~I"
    - name: AUTH_OIDC_DISCOVERY_URI
      value: "<https://login.microsoftonline.com/{tenant_id}/v2.0/.well-known/openid-configuration>"
    - name: AUTH_OIDC_BASE_URL
      value: "<https://datahub.test.domain.net>"
    - name: AUTH_OIDC_SCOPE
      value: "openid profile email"```
And when I access this url I see the below json output as well
<https://login.microsoftonline.com/{tenant_id}/v2.0/.well-known/openid-configuration>

```{
  "token_endpoint": "<https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token>",
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt",
    "client_secret_basic"
  ],
  "jwks_uri": "<https://login.microsoftonline.com/{tenant_id}/discovery/v2.0/keys>",
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "response_types_supported": [
    "code",
    "id_token",
    "code id_token",
    "id_token token"
  ],
  "scopes_supported": [
    "openid",
    "profile",
    "email",
    "offline_access"
  ],
  "issuer": "<https://login.microsoftonline.com/{tenant_id}/v2.0>",
  "request_uri_parameter_supported": false,
  "userinfo_endpoint": "<https://graph.microsoft.com/oidc/userinfo>",
  "authorization_endpoint": "<https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize>",
  "device_authorization_endpoint": "<https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/devicecode>",
  "http_logout_supported": true,
  "frontchannel_logout_supported": true,
  "end_session_endpoint": "<https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/logout>",
  "claims_supported": [
    "sub",
    "iss",
    "cloud_instance_name",
    "cloud_instance_host_name",
    "cloud_graph_host_name",
    "msgraph_host",
    "aud",
    "exp",
    "iat",
    "auth_time",
    "acr",
    "nonce",
    "preferred_username",
    "name",
    "tid",
    "ver",
    "at_hash",
    "c_hash",
    "email"
  ],
  "kerberos_endpoint": "<https://login.microsoftonline.com/{tenant_id}/kerberos>",
  "tenant_region_scope": "EU",
  "cloud_instance_name": "microsoftonline.com",
  "cloud_graph_host_name": "graph.windows.net",
  "msgraph_host": "graph.microsoft.com",
  "rbac_url": "<https://pas.windows.net>"
}```
Below is the error I am getting now,
front-end - error

`ERROR controllers.AuthenticationController - Caught exception while attempting to redirect to SSO identity provider! It's likely that SSO integration is mis-configured`

UI Error

`Failed to redirect to Single Sign-On provider. Please contact your DataHub Administrator, or refer to server logs for more information.`

Team,
Let me know if any other information is required

Thanks,
Mohan

Hey there! Make sure your message includes the following information if relevant, so we can help more effectively!

1. Which DataHub version are you using? (e.g. 0.12.0)
2. Please post any relevant error logs on the thread!

Hello Mohan, you are missing the azureTenantId setting which is mandatory when using SSO with Azure. That’s why you also see {tenant_id} in the URL instead of an actual GUID that represents your Azure tenant.

Hi <@U042EBB9P1N>, I am using the tenant_id in AUTH_OIDC_DISCOVERY_URI, I just removed it in the question

Ah, I see. Maybe next time you could mention the parts you’ve masked, so we’re not looking in the wrong direction What do you see in the datahub-frontend-react pod log files?

please find the below error attachment

attachment1920×1080 280 KB

Hi <@UV14447EU>, can you help me in resolving the above error.

<@U03MF8MU5P0> or <@U01GCJKA8P9> might can help here

Hello Mohan, now that I think of it and looking at the error message, it could be a problem with one of the probes in the datahub-gms pod. I’ve had a similar error message in our own environment in the past where GMS wouldn’t start serving requests (which might explain why SSO isn’t working). My assumption is that GMS isn’t working correctly yet, and your SSO config might be just fine.

Not sure if you’re using the Helm charts to deploy to K8S, but I did. There was a problem there with a liveness probe that makes an HTTP request to an endpoint that requires authentication. Could you check your datahub-gms pod and the settings for the readiness and liveness probes?

Hi <@U042EBB9P1N>,Yes we are using Helm charts to deploy to K8S

Check the probes’ settings and see if GMS will start correctly:

Hi <@U042EBB9P1N> I have added liveneddProbe settings as follows, But still im getting the error

attachment927×840 30.4 KB

Below is front end error and backend gms same error as mentioned above

attachment1920×235 28.3 KB

Can you verify that both the frontend and gms start correctly? Is there a way to test the connectivity to Azure Entrata (an outbound IP firewall rule somewhere)?

frontend and gms started correctly, I can even login using username and password without any issues. Only SSO not working and by default it shows the below error

Can you please explain bit more about Azure Entrata (an outbound IP firewall rule somewhere)?

With problems like this one, I’d also like to check the basic connectivity. Can you reach https://login.microsoftonline.com/tenantID/v2.0/.well-known/openid-configuration from one of your pods? Azure Entrata is the new name for Azure Active Directory (AD).