[Keycloak SSO] Foreman redirects to /users/login instead of /users/extlogin when session expired

Hi all,

I have Foreman v1.24.3 running on RedHat 7.8. I configured Foreman to use Keyclaok IdP, following the instructions here https://www.theforeman.org/manuals/1.24/index.html#5.7ExternalAuthentication

Everything worked fine. The issue is that when the session expires Foreman still redirects to /users/login instead of /users/extlogin.

Do you know how can I change this behavior?

Thank you,
Daniel

1 Like

No one can help me with this?
Thank you very much

Hey @rabajaj - can you take a look?

1 Like

Hi @rabajaj,

I checked some of your posts (External authentication: session expiration) but the idle timout option doesn’t seem to do anything for me.

I changed its value on the web interface but Foreman still closes my session after an hour and redirects me to /users/login

Might this be a bug in v1.24?

Thanks a lot,
Daniel.

Hello,

Sorry for being late in the party :stuck_out_tongue: Can you check what is the value of the Login delegation logout URL in Settings -> Authentication tab ? I am sorry I forgot to add it in the documentation it seems, would you like to open a PR in the 5th point(OIDC parameters) Foreman documentation?

github repo: GitHub - theforeman/theforeman.org: The new and improved Foreman website.

Add:
Set Login delegation logout URL to https://<foreman instance>.com>/users/extlogout

Let me know how it goes.

Thanks,

1 Like

BTW, you might want to visit: http://docs.theforeman.org/guides/build/doc-Administering_Red_Hat_Satellite/index-foreman.html#integrating-satellite-with-red-hat-single-sign-on-for-external-authentication this documentation. It has information to configure your mappers correctly in keycloak.

Also, about idle session timeout, if you set it to 2 minutes, after 2 mins if you try to access any resource it must redirect you to the keycloak login page again. For the redirection to happen you need to add a valid redirect url in your client.

If have registered the client in a correct manner, in your client you will have one valid redirect url which would look something like, https://<your foreman url>.com/users/extlogin/redirect_url, copy this url and add another redirect_url which is https://<your foreman url>.com/users/extlogin without the redirect_url and the trailing /

I think you should be good to go with this explanation, if you are still stuck somewhere, please le tme know. I’d be more than happy to help :slight_smile:

1 Like

Thanks a lot for your answer!!

For the value of Login delegation logout URL I had (this was a working solution):

https://keycloak.server/auth/realms/myrealm/protocol/openid-connect/logout?redirect_uri=https://foreman.server`

I tried your suggestion but it does seem to close the session. The logout redirects me to /users/extlogout but it does not actually log me out (I have the same behavior this person has in his demo https://youtu.be/ypF-yvaaSXw?t=899).

Happy to open a PR after we sort this out! :slight_smile:

About the session timeout I am still testing out the latest changes, so nothing conclusive just yet.

Thanks a lot!

Hello,

Yes, Once you place the /users/extlogout url in the Login delegation logout URL the SSO functionality would work. In Single Sign On, even if you try to manually try to logout the authentication system must allow you to login without providing the credentials. Therefore, when you press the Logout button manually you still have an option of login again on the extlout page which is the correct functionality. This is rightly demonstrated in the video that you have pointed. You should be allowed to logout only when your session has expired.

This will make things really clear, (sorry for the noise in the video) but this should really clear all your questions:

For reference:

Also, about:

https://keycloak.server/auth/realms/myrealm/protocol/openid-connect/logout?redirect_uri=https://foreman.server`

You don’t need to use this because this is implemented in the code for you. Once session expires this url is invoked to logout of the system and thats how you are redirected to the keycloak login page again. Only thing you need to add is the valid redirect url in keycloak as mentioned above (https://foreman-url.com/users/extlogin without the /redirect_uri/)

Let me know if you still have any concerns regarding this.

Thanks,

2 Likes

Hi @rabajaj,

I am afraid I am still having this issue… When the session expires I am still being redirected to https://foreman.server/**users/login**

This is very strange.

I thought there might a problem with my memcached but I only have one server now, and the issue is still happening. (I have an HAProxy in front of Foreman, but the HAProxy only has one foreman server in the backend section)

I am not sure what else to check. This is my Foreman config in case there is something wrong:

Thanks a lot,
Daniel.

Hello,

Your settings look fine to me, except that your idle timeout is set to 600 minutes, that is 10 hours. Can you set it to 2 minutes to test the result (whether or not you are redirect to your keycloak instance).

Also, it would be nice if you shared your valid redirect urls from the keycloak client?

Thanks,

Yeah, I was so desperate that I increased the idle timeout by a loooot to see what happens :sweat_smile:

Funny thing, following your advise, I just changed it to 1 (1 minute idle timeout) but I don’t see my user being logged out…

For completeness this is my Keycloak config. The red part is the alias of the Haproxy in front of my Foreman servers.
image

Thanks a lot for your answers :slight_smile:

Hello,

Ohkay :slight_smile: so here you will not need the extlogout url and the third one too. I see your configurations are set to the correct values.

Would it be possible for you to paste your foreman server logs when it tries to logout? (as in when the 1 minute is over and foreman login page is displayed).

Thanks,

Damn! Everythings looks ok to me here. Can you meet me on irc (#theforeman-dev) anytime? I am available in the IST timezone :slight_smile:

Checking the requests my browser does, I can see that at some point, there is a redirection to /users that redirects me to https://foreman.server/users/login.

Might this be the root cause?
Thanks!!!

Hello,

Looks like @danielfr was using the older version of Foreman, therefore, the incorporated changes do not reflect on his system. Although, once they upgrade, it will be fine. Also, anyone else reading this thread, the solution marked should solve most of questions so please go through that :slight_smile:

Thanks,

2 Likes

Thanks a lot to rabajaj for his valuable help! :100:

I will post again here once I upgrade my servers to Foreman v2.X (it will take some months since we are in the middle of other migrations that should happen 1st)

1 Like

Just a quick update to say that we finally upgraded Foreman to 2.1.X a few weeks ago and since then we cannot reproduce this error anymore. Again thanks @rabajaj, you are the best! :slight_smile:

2 Likes

I am glad its working for you :slight_smile: