Authentication failed in Data Stewardship

Talend Version (Required)       6.4.1

Summary

Using the 6.4.1 Installer, TAC, IAM, and TDS were installed, but the user cannot log into Data Stewardship.
Additional Versions  
Product (Required) Data Stewardship, IAM, TAC
Component (Required)  
Problem Description

After using the 6.4.1 Installer without any errors, the user cannot log into Data Stewardship.

 

The TAC, IAM and Data Stewardship services are up and running.

The login/user used is Active in TAC.

 

In the 6.4.1_installer\iam\apache-tomcat\conf folder, the iam.properties file contains the line tac.user-name=security@company.com:

tdslogin1.png

 

So in this case, security@company.com needs to be Active in TAC:

tdslogin2.png

 

The customer was using a hostname similar to this format: aaaa.bbbbb.cccc.dddd.eeee.

So they would access Data Stewardship using a URL such as:

http:/ /aaaa.bbbbb.cccc.dddd.eeee:19999

 

Looking at the different log files under /iam/logs, this error was found in the idp.log:

2017-09-05 16:41:16.815 -ERROR [http-apr-9080-exec-3] o.a.c.f.s.i.b.EndpointAddressValidator : The endpointAddress value of http:/ /10.22.123.999:9080/oidc/idp/authorize does not match any of the passive requestor values

 

Looking at the \6.4.1_installer\tds\apache-tomcat\conf\data-stewardship.properties file, these values for oidc.url and oidc.userauth.url were seen:

tdslogin3.png

 

Problem root cause  
Solution or Workaround

These values were changed to use the hostname:

oidc.url=http:/ /aaaa.bbbbb.cccc.dddd.eeee:9080/oidc
oidc.userauth.url=http:/ /aaaa.bbbbb.cccc.dddd.eeee:9080/oidc

 

After restarting the IAM and TDS services, the error was still there but in the idp.log file a different error appeared:

2017-09-06 14:25:00.230 [31m- WARN[0;39m [http-apr-9080-exec-5] o.a.c.f.s.idp.beans.CommonsURLValidator : The given endpointAddress parameter http:/ /aaaa.bbbbb.cccc.dddd.eeee:9080/oidc/idp/authorize is not a valid URL

In this case, the error is related to the validity of the hostname. IAM uses Fediz, but when a new OIDC client is registered, the redirect URL is validated. This means that non-standard TLD names cannot be used.

 

To resolve this, one line was added to the iam.properties file:

iam.additionalTLDs=lan,eeee,dddd,cccc,bbbbb,aaaa
- restart iam and tds services;

The login was then successful.

JIRA ticket number TPSVC-2981
Version history
Revision #:
5 of 5
Last update:
‎10-27-2017 08:13 AM
Updated by: