Troubleshooting Federated Authentication

Federated Authentication Process Overview¶

The diagram below describes the components and steps that occur when a user authenticates to a Connector using Federated User Authentication up to the point where the user has selected the desktop they want to connect to. The diagram is numbered, and the flow can be followed by the numbers to determine which components are in use at any given step in the process, and instructions are provided for how to obtain logs from those components if a failure occurs. .

Federated Authentication Troubleshooting

Obtaining Logs¶

The table above describes the components that may contain logs to describe errors if a failure occurs. This section provides information or references to how to obtain logs for each HP provided component:

Anyware Client
Connector
- Overview: https://anyware.hp.com/web-help/cas_manager_as_a_service/troubleshooting/troubleshooting_logs/
- Connection Manager:
  - client inside the corporate network: sudo docker service logs connector_cm
  - client outside the corporate network: sudo docker service logs connector_cmsg
- Federated Auth service:
  - client inside the corporate network: sudo docker service logs connector_brokerinternal
  - client outside the corporate network: sudo docker service logs connector_brokerexternal
- Broker: sudo docker service logs connector_fa
Anyware Agent
- Windows Standard Agent: https://anyware.hp.com/web-help/pcoip_agent/standard_agent/windows/current/admin-guide/diagnostics/locating-log-files/
- Windows Graphics Agent: https://anyware.hp.com/web-help/pcoip_agent/graphics_agent/windows/current/admin-guide/diagnostics/locating-log-files/

Potential Issues During the Authentication Process¶

Step 1: Client Failures¶

Component: Anyware Client Task Performed: The user opens Anyware Client from their computer. Potential Issue: Anyware Client stops working as expected. For example, Anyware Client stops responding.

Anyware Client Failure

Step 2: Networking Issues¶

Components: Anyware Client, Connection Manager Task Performed: From the list of configured connections, the user selects the connector configured for Federated User Authentication. Potential Issues: The following issues are observed:

Networking errors between the client and connector.
Connector is misconfigured or failing.

Networking Issues

Step 3: Networking Issues¶

Components: Anyware Client, Connection Manager, Federated Authentication Service, Identity Provider Task Performed: The connector instructs the Anyware Client to perform Federated User Authentication and the user's web browser is opened to the organization's Identity Provider.

Client Performs Federated Authentication

Potential Issues:

No browser is opened: Connector misconfigured for federated authentication. Check Connector Configuration.
Connector was configured with an incorrect client ID. See step 5 in Admin Console configuration section.

Okta 400 Error

Step 4: Incorrect Credentials¶

Components: Identity Provider Task Performed: The user provides their credentials or any other authentication means to the Identity Provider.

Incorrect Credentials

Provide Credentials

Potential Issues: Incorrect credentials are provided.

Incorrect Credentials on Okta

Step 5: Incorrect Credentials¶

Components: Anyware Client, Connector (Connection Manager, Broker, Federated Authentication Service), Identity Provider Task Performed: The user returns to their PCoIP Client and the client provides the user's proof of authentication to the connector. The connector validates that authentication against the Identity Provider. Potential Issues: Incorrectly configured redirect URL in the Identity Provider see, step 5 in Configuring Okta IDP and step 4 in Configuring Azure Active Directory.
Untrusted certificate between the connector and Identity Provider.

Step 6: Incorrect Credentials¶

Components: Anyware Client, Connection Manager, Third-Party Broker Task Performed: Connector obtains the user's list of desktops (or pools) and returns them to the client to be displayed to the user.

Desktop Selection

Potential Issues: - Network failures between the connector and Anyware Manager. - Revoked or invalid credentials within the connector to Anyware Manager. - User is not configured in Anyware Manager or has no desktops or pools entitled to them.

Connection Error

Step 7: Desktop Startup Issues¶

Components: Anyware Client, Anyware Agent, Connector (Connection Manager, Broker) Task Performed: The user selects a desktop (or pool). Desktop Selection Potential Issue: Desktop fails to start. Desktop Startup Failure

Step 8: User Authentication Issues¶

Components: Anyware Client, Anyware Agent, Connector (Connection Manager, Broker) Task Performed: The user is prompted at the Anyware Client to enter their username and password. Client Credentials Potential Issue: - User provides incorrect credentials. - Anyware Agent is unable to authenticate the user using the credentials.

Potential Issues During Single Sign-on¶

Step 1: SSO Issues¶

Component: Anyware Agent, Connector (Connection Manager, Broker) Task Performed: The user is prompted to enter their username and password.

User Provides Credentials

Potential Issues: - SSO is not supported by the Agent. - SSO is disabled. Check the --enable--sso installation flag.

Step 2: Certificate Issues¶

Component: Anyware Agent, Connector (Connection Manager, Broker) Task Performed: The user connects to a session and is presented with the login screen. Potential Issue: - The Connector might have been configured with incorrect certificate files. - Anyware Agent was unable to login with the certificate. For more information, see the --sso-signing-* or --sso-enrollment-* in the installation flags topic.