Debugging SSO in environments with Proxy Servers

Troubleshooting SSO with Crowd

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

This is an example log file from Crowd 1.6 with Debugging turned On for com.atlassian.crowd under Admin > Logging & Profiling. In this example, I've logged into Crowd Console, then attempt to access JIRA.

Example of non-working SSO Configuration

In this example, admin signs into Crowd Console, and then visits JIRA. JIRA is being served behind a Apache proxy (mod_proxy for example).

SSO interaction gliffy

Login to Crowd directly without a proxy

Crowd detects a user logging in for the first time from the IP address 192.168.0.174, with a Mozilla Browser on Linux. A token of onk7YDa9kfyPp0ipf26gwA00 is generated from the ValidationFactors consisting of an IP address, User-Agent, Random Number.

[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Generating Token for principal: admin
[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Adding User-Agent of com.atlassian.crowd.integration.authentication.ValidationFactor@429340[name=User-Agent,value=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.9) Gecko/20070316 CentOS/1.5.0.9-10.el5.centos Firefox/1.5.0.9 pango-text]
[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Adding remote address of 192.168.0.174
[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Adding Random-Number of com.atlassian.crowd.integration.authentication.ValidationFactor@d171c2[name=Random-Number,value=8162711822532519761]
[crowd.manager.application.ApplicationServiceGeneric] Current Validation Factors:
com.atlassian.crowd.integration.authentication.ValidationFactor@83b064[name=remote_address,value=192.168.0.174]com.atlassian.crowd.integration.authentication.ValidationFactor@429340[name=User-Agent,value=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.9) Gecko/20070316 CentOS/1.5.0.9-10.el5.centos Firefox/1.5.0.9 pango-text]
[crowd.manager.application.ApplicationServiceGeneric] comparing existing token com.atlassian.crowd.model.token.Token@ca8293[ID=524387,key=onk7YDa9kfyPp0ipf26gwA00,name=admin,secretNumber=8162711822532519761,Directory ID=98305] with a validation token com.atlassian.crowd.model.token.Token@b1b30c[ID=0,key=onk7YDa9kfyPp0ipf26gwA00,name=admin,secretNumber=8162711822532519761,Directory ID=98305]
[crowd.manager.application.ApplicationServiceGeneric] they match
[crowd.manager.application.ApplicationServiceGeneric] user has access to the application crowd

Login to JIRA via proxy

After my visit to the Crowd Console, I then visit JIRA through a proxy. It detects my same User-Agent, but now sees that my IP is 192.168.3.125 which is really the proxy's. This results in a token that doesn't match my existing one: F6KXEhI3SDn7u1I7zVLzhQ00 as compared to onk7YDa9kfyPp0ipf26gwA00 and thus, I'm prompted to login again. A clue that I was going through the proxy is the X-Forwarded-For header. It also contains my real IP. The way to fix this is to add 192.168.3.125 to my list of Trusted Proxies.

[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Generating Token for principal: admin
[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Adding User-Agent of com.atlassian.crowd.integration.authentication.ValidationFactor@31f633[name=User-Agent,value=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.9) Gecko/20070316 CentOS/1.5.0.9-10.el5.centos Firefox/1.5.0.9 pango-text]
[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Adding remote address of 192.168.3.125
[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Adding Random-Number of com.atlassian.crowd.integration.authentication.ValidationFactor@1a99a7[name=Random-Number,value=8162711822532519761]
[crowd.manager.application.ApplicationServiceGeneric] Current Validation Factors:
com.atlassian.crowd.integration.authentication.ValidationFactor@5db889[name=remote_address,value=192.168.3.125]com.atlassian.crowd.integration.authentication.ValidationFactor@fe4748[name=X-Forwarded-For,value=192.168.0.174]com.atlassian.crowd.integration.authentication.ValidationFactor@31f633[name=User-Agent,value=Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.9) Gecko/20070316 CentOS/1.5.0.9-10.el5.centos Firefox/1.5.0.9 pango-text]
[crowd.manager.application.ApplicationServiceGeneric] comparing existing token com.atlassian.crowd.model.token.Token@417bf8[ID=524387,key=onk7YDa9kfyPp0ipf26gwA00,name=admin,secretNumber=8162711822532519761,Directory ID=98305] with a validation token com.atlassian.crowd.model.token.Token@f9d0af[ID=0,key=F6KXEhI3SDn7u1I7zVLzhQ00,name=admin,secretNumber=8162711822532519761,Directory ID=98305]
[crowd.manager.application.ApplicationServiceGeneric] The token keys don't match

Last modified on Sep 20, 2017

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.