Unable to access app and not able to confirm roles the user is assigned to after upgrading to Tanzu Application Service for VMs 2.7 and Single Sign-On tile 1.12.2
Article ID: 293392
Updated On:
Products
Operations Manager
Issue/Introduction
You are unable to access an app through Single Sign-On (SSO) because you are not able to confirm roles the user is assigned to. We are seeing the following known issue:
"Authorization for Okta OpenID Connect (OIDC): When using an Okta OIDC provider, the roles claim in the ID token does not get populated with external identity provider (IdP) groups. This impacts the mapping of external IdP groups to scopes."
"Authorization for Okta OpenID Connect (OIDC): When using an Okta OIDC provider, the roles claim in the ID token does not get populated with external identity provider (IdP) groups. This impacts the mapping of external IdP groups to scopes."
Resolution
An error message displayed after login shows that specific groups needed for access to the app are not in the user's account. The app code looks for an LDAP attribute called "roles", which is translated from Granted Authorities in Active Directory.
We tested authcode-sample app (identity-sample-apps) using a newly-created test UAA client, to inspect the tokens (identity and access), which were passed to the app on login. It seems something changed due to a change in the way UAA roles are passed to the tokens.
The attribute checkbox "Persist Custom Attributes" under Custom Attributes in the SSO Operator Dashboard > Advanced Settings > Group Assignments must be checked in order for the "roles" attribute to be passed successfully. This results in resource mapping to be successfully interpreted on login and fixes the issue.
We tested authcode-sample app (identity-sample-apps) using a newly-created test UAA client, to inspect the tokens (identity and access), which were passed to the app on login. It seems something changed due to a change in the way UAA roles are passed to the tokens.
The attribute checkbox "Persist Custom Attributes" under Custom Attributes in the SSO Operator Dashboard > Advanced Settings > Group Assignments must be checked in order for the "roles" attribute to be passed successfully. This results in resource mapping to be successfully interpreted on login and fixes the issue.
Feedback
Yes
No
Powered by
