Debugging SSO in environments with Proxy Servers
This is an example log file from Crowd 1.6 with Debugging turned On for com.atlassian.crowd under Admin > Logging & Profiling. In this example, I've logged into Crowd Console, then attempt to access JIRA.
Example of non-working SSO Configuration
In this example, admin signs into Crowd Console, and then visits JIRA. JIRA is being served behind a Apache proxy (mod_proxy for example).
Login to Crowd directly without a proxy |
---|
Crowd detects a user logging in for the first time from the IP address 192.168.0.174, with a Mozilla Browser on Linux. A token of onk7YDa9kfyPp0ipf26gwA00 is generated from the ValidationFactors consisting of an IP address, User-Agent, Random Number. |
[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Generating Token for principal: admin |
Login to JIRA via proxy |
---|
After my visit to the Crowd Console, I then visit JIRA through a proxy. It detects my same User-Agent, but now sees that my IP is 192.168.3.125 which is really the proxy's. This results in a token that doesn't match my existing one: F6KXEhI3SDn7u1I7zVLzhQ00 as compared to onk7YDa9kfyPp0ipf26gwA00 and thus, I'm prompted to login again. A clue that I was going through the proxy is the X-Forwarded-For header. It also contains my real IP. The way to fix this is to add 192.168.3.125 to my list of Trusted Proxies. |
[atlassian.crowd.authentication.TokenKeyGeneratorImpl] Generating Token for principal: admin |