TKGI login command fails to get one-time passcode due to invalid_scope error when connecting to SAML IDP
Article ID: 410197
Updated On:
Products
Issue/Introduction
When TKGI is configured to connect to a SAML IDP, user could request one-time passcode from SAML IDP for "tkgi login" command. For example,
$ tkgi login -a api.tkgi.####.com -k --sso
One Time Code ( Open A Web Browser to the following URL to get a Code: https://api.tkgi.####.com:8443/oauth/authorize?response_type=code&client_id=pks_cli&redirect_uri=https://api.tkgi.####.com:8443 )
Passcode:
When loading the prompted URL on a web browser and input correct credential for a valid user in SAML IDP, invalid_scope error might be shown on browser address bar instead of a valid code string. For example,
And invalid_scope error could also be found in uaa logs for the corresponding operation of getting one-time passcode. For example,
[2025-####.066488Z] uaa - 11 [https-jsse-nio-8443-exec-1] - [13cd####2d27c5] .... INFO --- SAMLDefaultLogger: AuthNResponse;SUCCESS;#.#.#.#;api.tkgi.####.com:8443;http://#.#.#.#:8080/realms/tkgi;jamessmith@####.com;;
[2025-####.084099Z] uaa - 11 [https-jsse-nio-8443-exec-1] - [13cd####2d27c5] .... INFO --- Audit: IdentityProviderAuthenticationSuccess ('jamessmith@####.com'): principal=b4c8ec79-####-aec6da9bf19c, origin=[unknown], identityZoneId=[uaa], authenticationType=[saml]
[2025-####.155483Z] uaa - 11 [https-jsse-nio-8443-exec-4] - [db5f####311c1a] .... INFO --- NonSnarlMetadataManager: Adding SAML IDP zone[uaa] alias[lab-tkgi-saml]
[2025-####.169075Z] uaa - 11 [https-jsse-nio-8443-exec-4] - [db5f####311c1a] .... WARN --- UaaAuthorizationRequestManager: The requested scopes are invalid
[2025-####.169393Z] uaa - 11 [https-jsse-nio-8443-exec-4] - [db5f####311c1a] .... INFO --- UaaAuthorizationEndpoint: Handling OAuth2 error: error="invalid_scope", error_description="[pks.clusters.admin, pks.clusters.admin.read, pks.clusters.manage] is invalid. This user is not allowed any of the requested scopes"
Environment
Tanzu Kubernetes Grid Integrated Edition
Cause
The invalid_scope error is mostly because of problem with mapping TKGI internal group pks.clusters.admin to external group included in the SAML response from the IDP. Please review the documentation and check related settings in both SAML IDP and TKGI carefully.
If you think all related settings are correct, one possible cause is the group name in SAML IDP contains uppercase letters while the UAA component would store external group name with lowercase letters. For example,
$ uaac group map --name pks.clusters.admin OpsManager --origin lab-tkgi-saml
Successfully mapped pks.clusters.admin to OpsManager for origin lab-tkgi-saml
$ uaac group mappings
resources
ldap:
-
organizations.acme: cn=test_org,ou=people,o=springsource,o=org
lab7-tkgi-saml:
-
pks.clusters.admin: opsmanager
schemas: urn:scim:schemas:core:1.0
startindex: 1
itemsperpage: 2
totalresults: 2
However, the group name included in SAML response is exactly same as what's configured in SAML IDP, which means it contains uppercase letters. For example,
<saml:Attribute FriendlyName="Groups" Name="member" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xmlns:xs="http://www.###.org/2001/XMLSchema" xmlns:xsi="http://www.###.org/2001/XMLSchema-instance" xsi:type="xs:string">OpsManager</saml:AttributeValue>
</saml:Attribute>The UAA component included in some old TKGI releases would treat such case as different group names, hence returns invalid_scope error.
Resolution
The best solution is to upgrade TKGI tile to latest version. e.g. v1.22.
If upgrade is not an option at the moment, the issue could be temporarily worked around by updating related group mapping entry in UAA database. Please reach out to Tanzu support for further assistance if you choose this approach. Please note that this temporary solution would be rolled back after the mapping is removed and redone.
Feedback
