Ondemand 3.0.0 and Xdmod 10.0.2-2.0 integration problems

Hello,

Was anybody successful by integrating xdmod and ondemand ? Both application are using SSO.

I have the following error in the browser:

The value of the ‘Access-Control-Allow-Credentials’ header in the response is ‘’ which must be ‘true’ when the request’s credentials mode is ‘include’.

When I add
Header always set Access-Control-Allow-Credentials: “true”
in apache config on Xdmod node I get error about no Origin header, but it’s still in the apache config:

No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

And origin shows as null in the browser inspect area.

My apache configs are:
Header always set Access-Control-Allow-Origin: “https://ondemand”
Header always set Access-Control-Allow-Methods: “GET,POST,PUT,DELETE,OPTIONS”
Header always set Access-Control-Allow-Headers: “Content-Type,Authorization,X-Requested-With”
Header always set Access-Control-Expose-Headers “Authorization, Origin, *”
Header always set Access-Control-Allow-Credentials: “true”

Please advise

Yes we (OSC) have XDMoD integrated with OOD.

Documentation doesn’t say anything about Header edits. On the XDMoD side it only has this addition to /etc/xdmod/portal_settings.ini (in step 2).

domains = "https://ondemand.osc.edu"

Then in step 3 you need to configure your IDP.

Yea I just confirmed our XDMoD installation does not have any of those Header edits in it’s httpd conf.

Hi Jeff,

I guess I need to start from the beginning. It’s what I did before experimenting with the headers.
I did follow xdmod integration instructions here: Customizations — Open OnDemand 3.0.0 documentation

I do have
domains = “https://my-ondemand”
in /etc/xdmod/portal_settings.ini on xdmod server.

On my ondemand web-interface I see Timeout error and it says I need to login to Xdmod server even if I’m already login.
TypeError: Failed to fetch Please ensure you are logged into Open XDMoD first, and then try again.
If I click on the link it will take me to Xdmod server in my logged in session.

In the inspect area of the web-browser I see:

Access to fetch at ‘https://my-xdmod/rest/v1/users/current’ from origin ‘https://my-ondemand’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

If I use https://my-xdmod/rest/v1/users/current I can see my user info. Origin filed in the browser is the same as settings in my portal.ini file.
Because of this CORS error I started experimenting with the headers, but it didn’t help.

Both of my sites xdmod and ondemand use SSO login. Is it supported method of authentication for integration between Xdmod and Ondemand?

Does anyone use SSO and XDMOD / Ondemand integration successfully?

What version of XDMoD do you have?

Yes we use Keycloak OIDC - which is step 3 in that document. What type of SSO do you use?

I looked it up in XDMoD and here’s how they’re setting those headers - based on what they read from the configuration ini. So there’s something off here because it should be reading from that ini file directly.

Maybe there’s a syntax error in the ini structure?

I cannot see our /etc/xdmod/portal_settings.ini because I don’t have the permissions, but I did check our puppet configurations and see we list out many hosts here.

Here are the headers I get when I request to XDMoD. What headers do you get? Note we’re running version 10 and I’d have to lookup what version this integration requires but I’d guess at least 9.

I’m using SAML Authentication with Active Directory Federated Services (ADFS) and mod_auth_mellon
https://osc.github.io/ood-documentation/latest/authentication/adfs-with-auth-mellon.html

not Keycloak OIDC

I checked headers again and I see that Origin header matches Access-Allow-Origin. I attached a scrrenshot.

Screenshot from 2023-05-12 15-16-20770×523 49.9 KB

The error I have now is: 401 (Unauthorized) Login timeout:

How is your frame-ancestors line looks in ood_portal.conf on Ondemand site?

Thank you,
Sofya

security_csp_frame_ancestors is set to OOD host.

I know there’s an issue with Shibboleth that it’s not complete SSO - meaning you have to authenticate with XDMoD as well. Though I don’t know for sure that’s your issue.

Credentials should have been sent in a cookie header your XDMoD’s apache recognizes.

Hello,

I apologize for the long silence. I looked at this thread Help setting up XDMoD 10.0 Dashboard integrated in OOD 2.0.28 and Keyclock(SAML) Single Sign On Authentication - #44 by luvres

The problem looks very familiar to mine, but I don’t see any resolution.

I see the following error in xdmod/exceptions.log

2023-08-18 15:10:30 [error] Exception Code: 0
2023-08-18 15:10:30 [error] Message: An error was encountered while attempting to process the requested authorization procedure.
2023-08-18 15:10:30 [error] Origin: /usr/share/xdmod/classes/Rest/Controllers/BaseControllerProvider.php (line 280)
2023-08-18 15:10:30 [error] Trace:
#0 /usr/share/xdmod/classes/Rest/Controllers/UserControllerProvider.php(77): Rest\Controllers\BaseControllerProvider->authorize(Object(Symfony\Component\HttpFoundation\Request))
#1 [internal function]: Rest\Controllers\UserControllerProvider->getCurrentUser(Object(Symfony\Component\HttpFoundation\Request), Object(Silex\Application))
#2 /usr/share/xdmod/vendor/symfony/http-kernel/HttpKernel.php(144): call_user_func_array(Array, Array)
#3 /usr/share/xdmod/vendor/symfony/http-kernel/HttpKernel.php(64): Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object(Symfony\Component\HttpFoundation\Request), 1)
#4 /usr/share/xdmod/vendor/silex/silex/src/Silex/Application.php(586): Symfony\Component\HttpKernel\HttpKernel->handle(Object(Symfony\Component\HttpFoundation\Request), 1, true)
#5 /usr/share/xdmod/vendor/silex/silex/src/Silex/Application.php(563): Silex\Application->handle(Object(Symfony\Component\HttpFoundation\Request))
#6 /usr/share/xdmod/html/rest/index.php(25): Silex\Application->run()
#7 {main}

It looks like it’s erroring out in /usr/share/xdmod/classes/Rest/Controllers/BaseControllerProvider.php on this:

    // If role requirements were not given, then the only check to perform
    // is that the user is not a public user.
    $isPublicUser = $user->isPublicUser();
    if (empty($requirements) && $isPublicUser) {
        throw new UnauthorizedHttpException('xdmod', self::EXCEPTION_MESSAGE);
    }

Does it ring any bell?

Thanks,
Sofya

Another thing I notice I don’t see cookies being passed during the request. I was using fiddler to inspect every request and was checking headers and cookies.

In succfull connections I see these cookies:
PHPSESSID
SimpleSAML
SimpleSAMLAuthToken
xdmod_token

And in unsuccessful ones I don’t see any cookies.

Is it something I need to fix on SSO server like allow it or in my apache config?

Thanks,
Sofya

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.