Troubleshooting Federated Authentication
Federated Authentication Process Overview¶
The diagram below describes the components and steps that occur when a user authenticates to a Connector using Federated User Authentication up to the point where the user has selected the desktop they want to connect to. The diagram is numbered, and the flow can be followed by the numbers to determine which components are in use at any given step in the process, and instructions are provided for how to obtain logs from those components if a failure occurs. .
Obtaining Logs¶
The table above describes the components that may contain logs to describe errors if a failure occurs. This section provides information or references to how to obtain logs for each HP provided component:
-
Anyware Client
-
Connector
- Overview: https://anyware.hp.com/web-help/cas_manager_as_a_service/troubleshooting/troubleshooting_logs/
- Connection Manager:
- client inside the corporate network:
sudo docker service logs connector_cm
- client outside the corporate network:
sudo docker service logs connector_cmsg
- client inside the corporate network:
- Federated Auth service:
- client inside the corporate network:
sudo docker service logs connector_brokerinternal
- client outside the corporate network:
sudo docker service logs connector_brokerexternal
- client inside the corporate network:
- Broker:
sudo docker service logs connector_fa
-
Anyware Agent
Potential Issues During the Authentication Process¶
Step 1: Client Failures¶
Component: Anyware Client Task Performed: The user opens Anyware Client from their computer. Potential Issue: Anyware Client stops working as expected. For example, Anyware Client stops responding.
Step 2: Networking Issues¶
Components: Anyware Client, Connection Manager Task Performed: From the list of configured connections, the user selects the connector configured for Federated User Authentication. Potential Issues: The following issues are observed:
- Networking errors between the client and connector.
- Connector is misconfigured or failing.
Step 3: Networking Issues¶
Components: Anyware Client, Connection Manager, Federated Authentication Service, Identity Provider Task Performed: The connector instructs the Anyware Client to perform Federated User Authentication and the user's web browser is opened to the organization's Identity Provider.
Potential Issues:
- No browser is opened: Connector misconfigured for federated authentication. Check Connector Configuration.
- Connector was configured with an incorrect client ID. See step 5 in Admin Console configuration section.
Step 4: Incorrect Credentials¶
Components: Identity Provider Task Performed: The user provides their credentials or any other authentication means to the Identity Provider.
Potential Issues: Incorrect credentials are provided.
Step 5: Incorrect Credentials¶
Components: Anyware Client, Connector (Connection Manager, Broker, Federated Authentication Service), Identity Provider
Task Performed: The user returns to their PCoIP Client and the client provides the user's proof of authentication to the connector. The connector validates that authentication against the Identity Provider.
Potential Issues: Incorrectly configured redirect URL in the Identity Provider see, step 5 in Configuring Okta IDP and step 4 in Configuring Azure Active Directory.
Untrusted certificate between the connector and Identity Provider.
Step 6: Incorrect Credentials¶
Components: Anyware Client, Connection Manager, Third-Party Broker Task Performed: Connector obtains the user's list of desktops (or pools) and returns them to the client to be displayed to the user.
Potential Issues: - Network failures between the connector and Anyware Manager. - Revoked or invalid credentials within the connector to Anyware Manager. - User is not configured in Anyware Manager or has no desktops or pools entitled to them.
Step 7: Desktop Startup Issues¶
Components: Anyware Client, Anyware Agent, Connector (Connection Manager, Broker)
Task Performed: The user selects a desktop (or pool).
Potential Issue: Desktop fails to start.
Step 8: User Authentication Issues¶
Components: Anyware Client, Anyware Agent, Connector (Connection Manager, Broker)
Task Performed: The user is prompted at the Anyware Client to enter their username and password.
Potential Issue:
- User provides incorrect credentials.
- Anyware Agent is unable to authenticate the user using the credentials.
Potential Issues During Single Sign-on¶
Step 1: SSO Issues¶
Component: Anyware Agent, Connector (Connection Manager, Broker) Task Performed: The user is prompted to enter their username and password.
Potential Issues:
- SSO is not supported by the Agent.
- SSO is disabled. Check the --enable--sso
installation flag.
Step 2: Certificate Issues¶
Component: Anyware Agent, Connector (Connection Manager, Broker)
Task Performed: The user connects to a session and is presented with the login screen.
Potential Issue:
- The Connector might have been configured with incorrect certificate files.
- Anyware Agent was unable to login with the certificate. For more information, see the --sso-signing-*
or --sso-enrollment-*
in the installation flags topic.