Debugging SSO in environments with Proxy Servers

This is an example log file from Crowd 1.6 with Debugging turned On for com.atlassian.crowd under Admin > Logging & Profiling. In this example, I've logged into Crowd Console, then attempt to access Jira.

Example of non-working SSO Configuration

In this example, admin signs into Crowd Console, and then visits Jira. Jira is being served behind a Apache proxy (mod_proxy for example).

SSO interaction gliffy

Login to Crowd directly without a proxy

Crowd detects a user logging in for the first time from the IP address 192.168.0.174, with a Mozilla Browser on Linux. A token of onk7YDa9kfyPp0ipf26gwA00 is generated from the ValidationFactors consisting of an IP address, User-Agent, Random Number.

[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Generating Token for principal: admin
[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Adding User-Agent of com.atlassian.crowd.integration.authentication.ValidationFactor@429340[name=User-Agent,value=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.9) Gecko/20070316 CentOS/1.5.0.9-10.el5.centos Firefox/1.5.0.9 pango-text]
[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Adding remote address of 192.168.0.174
[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Adding Random-Number of com.atlassian.crowd.integration.authentication.ValidationFactor@d171c2[name=Random-Number,value=8162711822532519761]
[crowd.manager.application.ApplicationServiceGeneric] Current Validation Factors:
com.atlassian.crowd.integration.authentication.ValidationFactor@83b064[name=remote_address,value=192.168.0.174]com.atlassian.crowd.integration.authentication.ValidationFactor@429340[name=User-Agent,value=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.9) Gecko/20070316 CentOS/1.5.0.9-10.el5.centos Firefox/1.5.0.9 pango-text]
[crowd.manager.application.ApplicationServiceGeneric] comparing existing token com.atlassian.crowd.model.token.Token@ca8293[ID=524387,key=onk7YDa9kfyPp0ipf26gwA00,name=admin,secretNumber=8162711822532519761,Directory ID=98305] with a validation token com.atlassian.crowd.model.token.Token@b1b30c[ID=0,key=onk7YDa9kfyPp0ipf26gwA00,name=admin,secretNumber=8162711822532519761,Directory ID=98305]
[crowd.manager.application.ApplicationServiceGeneric] they match
[crowd.manager.application.ApplicationServiceGeneric] user has access to the application crowd

Login to Jira via proxy

After my visit to the Crowd Console, I then visit Jira through a proxy. It detects my same User-Agent, but now sees that my IP is 192.168.3.125 which is really the proxy's. This results in a token that doesn't match my existing one: F6KXEhI3SDn7u1I7zVLzhQ00 as compared to onk7YDa9kfyPp0ipf26gwA00 and thus, I'm prompted to login again. A clue that I was going through the proxy is the X-Forwarded-For header. It also contains my real IP. The way to fix this is to add 192.168.3.125 to my list of Trusted Proxies.

[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Generating Token for principal: admin
[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Adding User-Agent of com.atlassian.crowd.integration.authentication.ValidationFactor@31f633[name=User-Agent,value=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.9) Gecko/20070316 CentOS/1.5.0.9-10.el5.centos Firefox/1.5.0.9 pango-text]
[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Adding remote address of 192.168.3.125
[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Adding Random-Number of com.atlassian.crowd.integration.authentication.ValidationFactor@1a99a7[name=Random-Number,value=8162711822532519761]
[crowd.manager.application.ApplicationServiceGeneric] Current Validation Factors:
com.atlassian.crowd.integration.authentication.ValidationFactor@5db889[name=remote_address,value=192.168.3.125]com.atlassian.crowd.integration.authentication.ValidationFactor@fe4748[name=X-Forwarded-For,value=192.168.0.174]com.atlassian.crowd.integration.authentication.ValidationFactor@31f633[name=User-Agent,value=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.9) Gecko/20070316 CentOS/1.5.0.9-10.el5.centos Firefox/1.5.0.9 pango-text]
[crowd.manager.application.ApplicationServiceGeneric] comparing existing token com.atlassian.crowd.model.token.Token@417bf8[ID=524387,key=onk7YDa9kfyPp0ipf26gwA00,name=admin,secretNumber=8162711822532519761,Directory ID=98305] with a validation token com.atlassian.crowd.model.token.Token@f9d0af[ID=0,key=F6KXEhI3SDn7u1I7zVLzhQ00,name=admin,secretNumber=8162711822532519761,Directory ID=98305]
[crowd.manager.application.ApplicationServiceGeneric] The token keys don't match

Last modified on Oct 5, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.