minio icon indicating copy to clipboard operation
minio copied to clipboard

Published 20 hours ago verified publisher icon minio

does not allow sso

Open Iceforestik opened this issue 2 years ago • 3 comments

NOTE

If this case is urgent, please subscribe to Subnet so that our 24/7 support team may help you faster.

does not allow sso

Expected Behavior

there should be an entry into the minio console

Current Behavior

I type in my username and password after clicking on the Login with SSO button, I get back to the Login with SSO page and after that the login does not request any more, since it has filled out, but the console does not log in.

Your Environment

  • Version used (minio --version): minio version RELEASE.2022-10-05T14-58-27Z (commit-id=4bdf41a6c70ff5809c3db5c427f3cbee1a725b79) Runtime: go1.18.7 linux/amd64 License: GNU AGPLv3 https://www.gnu.org/licenses/agpl-3.0.html Copyright: 2015-2022 MinIO, Inc.
  • Operating System and version (uname -a): Linux iceforest 5.4.0-128-generic #144~18.04.1-Ubuntu SMP Thu Sep 22 11:08:41 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

my openid config: изображение keycloak config: изображение изображение изображение изображение minio users: изображение изображение minio policy: изображение изображение additional information if you remove scopes from the settings изображение изображение if you put OpenID in scope, then we get a 401 error изображение

tell me, please, how can I determine why they are not allowed? it does not give out any errors. but as if he is missing something

Iceforestik avatar Oct 14 '22 08:10 Iceforestik

Looking at the policy I think you are not granting enough rights for the console, see https://github.com/minio/minio/issues/14099

bpedersen2 avatar Oct 14 '22 10:10 bpedersen2

just checking - your policy claim for that user has readwriteuserjwt as the value - but that policy does not appear to exist on MinIO. Can you change that value to consoleAdmin to start?

Once you confirm you can log in with the admin credentials, then it makes more sense to try restricting access based on S3 Resource and such.

ravindk89 avatar Oct 14 '22 15:10 ravindk89

just checking - your policy claim for that user has readwriteuserjwt as the value - but that policy does not appear to exist on MinIO. Can you change that value to consoleAdmin to start?

Once you confirm you can log in with the admin credentials, then it makes more sense to try restricting access based on S3 Resource and such.

Looking at the policy I think you are not granting enough rights for the console, see #14099

I put the policy=consoleAdmin attribute in keycloak, but the error remained, I really already broke my whole head how to configure it изображение изображение изображение изображение изображение изображение изображение изображение

Iceforestik avatar Oct 15 '22 05:10 Iceforestik

Could you do a server trace in a terminal with a command like:

mc admin trace -v -a --funcname 'sts.*' myminio

and then do a login attempt and show the results here?

So far I am not able to tell if the IDP is granting access and issuing a JWT.

donatello avatar Nov 04 '22 22:11 donatello

i dont know what is it, but now it works. thx

Iceforestik avatar Nov 07 '22 07:11 Iceforestik