AZURE AD --> SCIM on GCP GKE is not working

jfmarquisjfmarquis
edited October 2019 in SCIM Bridge

hello
i've configured our SCIM Bridge domain with success i think but when i'm trying to connect to Azure i have this error
You appear to have entered invalid credentials. Please confirm you are using the correct information for an administrative account.
Can you help me to debug please ?
thanks in advance


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • graham_1Pgraham_1P

    Team Member

    Hi @jfmarquis

    I take it you referring to the Azure Provisioning Admin Credentials? Your DNS record looks valid. However when navigating to your SCIM Bridge, I can see it is not set up. Navigate to the ip of your VM in a browser and validate the DNS record with your domain, and then connect it to your account.

    I have edited your above post removing your non-configured SCIM Bridge URL.

    If you reach out to us at [email protected] we can give you more personalised feedback without having to be as careful of private data as on a public forum.

    Graham

  • Hey everyone,
    we use the AWS terraform deployment and run into the same error. I'm not sure when it first appears, but at the same week the error fist appears the auto-scaling-group started a new instance.
    We tried to generate new credentials (bearer token & sessionfile), updated the aws secret and redeploy the infrastructure - nothing solved the error. Do you have made any progress on this issue ?
    Cedric

  • graham_1Pgraham_1P

    Team Member

    Hey @cedric_someone,

    The error of You appear to have entered invalid credentials. Please confirm you are using the correct information for an administrative account. generally indicates incorrect credentials are being given to your identity provider.

    To troubleshoot this, I would recommend checking the SCIM Bridge logs. What do they say when a connection is refused as unauthorised?

    You can also check your bearer token/scimsession pair but sending a request directly to your SCIM Bridge. EG: curl -X GET -H "Authorization: bearer $BEARER_TOKEN" https://my-scim-bridge-domain.company.com/Users. If that succeeds you know your bearer token/scimsession pair is correct and something else is at play.

    If you reach out to us at [email protected] we can give you more personalised feedback without having to be as careful of private data as on a public forum.

    Graham

  • edited May 26

    Hey @graham_1P,

    I already have contact with your support-Team, but I also like to make the process public - I hate open issues without a solution.

    It's difficult to access the AWS-Instance, but with a modified instance role and the session-manager I was able to view the logs on the Instance and run the curl cmd. As you said I get a Unauthorized and I found this at the logfile:

    May 26 13:05:51 op-scim-op-scim-company op-scim[25404]: [LOG] [1.3.1] 2020/05/26 13:05:51 (INFO) Handling GET: /scim/Users

    May 26 13:05:51 op-scim-op-scim-company op-scim[25404]: [LOG] [1.3.1] 2020/05/26 13:05:51 (ERROR) AuthWrap failed to FindCredentials: failed to detect localAuth version: failed to Unmarshal credentials file data into map: invalid character 'C' looking for beginning of value

    May 26 13:05:51 op-scim-op-scim-company op-scim[25404]: [LOG] [1.3.1] 2020/05/26 13:05:51 (WARN) 401 (Unauthorized)

    Could you take a look at it ? Maybe there is a issue with the aws secret. I'am not very familar with aws secrets but followed your documentation.

    Cedric

  • graham_1Pgraham_1P

    Team Member

    Hi @cedric_someone

    That makes perfect sense! A forum is useless if every thread ends with 'email support'!

    That being said, due to the private and secure nature of our work, we tend to default to email threads just to protect your PII. In that vein, I'm going to edit your post to remove your company name.

    The error you are seeing AuthWrap failed to FindCredentials: failed to detect localAuth version: failed to Unmarshal credentials file data into map: invalid character 'C' looking for beginning of value seems to indicate that your scimsession file is unreadable, corrupted, or of the the wrong format.

    Am I correct in thinking you followed the instructions on this page? https://github.com/1Password/scim-examples/tree/master/aws-terraform#deploying-using-terraform

    You created the secret with something like:

    aws secretsmanager create-secret --name op-scim/scimsession --secret-binary file:///path/to/scimsession --region <aws_region>
    aws secretsmanager describe-secret --secret-id op-scim/scimsession --region <aws_region>
    

    If you redid the second command, what is the output? Please be sure to not post your scimsession file here.

    Graham

  • Hey @graham_1P,

    I didn't want to criticise your way of support, unfortunately you answer a lot faster than your support-team :)
    If we get to the point you need more sensitive data, we can surely change to email.

    Yes i followed this introduction page, but only updated an existing secret. We need to update the credentials of our provision manager for security purposes. The update command looks like:

    aws.cmd secretsmanager update-secret --secret-id <secret/id> --secret-binary <Windows Path to session file> --region <region>
    

    I used the session file I get from the provision manager setup process without modifying anything.
    The result of:

     aws.cmd secretsmanager describe-secret --secret-id <secret/id> --region <region>
    

    looks like:

    {
        "ARN": "<arn>",
        "Name": "<secret/id>",
        "Description": "SCIM bridge session file for 1Password provisioning",
        "LastChangedDate": 1590559529.005,
        "LastAccessedDate": 1590537600.0,
        "VersionIdsToStages": {
            "5406f9a8-5383-4512-be10-f004e4a68968": [
                "AWSCURRENT"
            ],
            "b4c26313-03b4-4fcb-a887-55d39554a68a": [
                "AWSPREVIOUS"
            ]
        }
    }
    

    We use the default encryption key.

    I hope I haven't mention any sensitive data ;)

    Have a nice day !

    Cedric

  • Hello again,

    I'm such a fool. I decrypted the secret locally on the machine and find out the secret isn't the session file, it's only the path to the session file. I also have find a better command to update the secret.

    aws.cmd secretsmanager put-secret-value --secret-id <secret/id> --secret-binary file://<Windows path to session file> --region <region>
    

    Now since the secret has the correct value the curl command succeed and returns a list of users, only the AzureAD enterprise application throws the same error as mention above. SystemForCrossDomainIdentityManagementCredentialValidationUnavailable - maybe there are some caching issues or missing azure permissions :)

  • Hey again - it's me !
    I also solved the SystemForCrossDomainIdentityManagementCredentialValidationUnavailable our AzureAD Application wasn't setup correctly - I doesn't know exactly why. We only reconfigure it followed these steps. Now everything works fine.
    I only have one open issue. My personal 1Password account is part of the Provision Manager Group and now I have access to every vault of a provisioned user - can i remove my account out of this group without losing any access or control?

    Cedric

  • graham_1Pgraham_1P

    Team Member

    Hi @cedric_someone,

    I'm glad to hear you got yourself sorted out. Just to clarify, you resolved your SystemForCrossDomainIdentityManagementCredentialValidationUnavailable error by reconfiguring your Azure AD instance, correct? Or was there a specific thing you changed to resolve the error?

    To stop seeing the invited but not active users' private vaults, you can just take yourself out of the Provision Manager Group. The only required member is the Provision Manager themselves. Assuming you are an Owner or an Admin, this will not change your access and control of the provisioning process.

    Graham

  • Hey @graham_1P,
    I'm not sure what you mean by "AzureAD instance". We only set up a "enterprise application" on the Azure side. This application was not set up correctly. I took over the project from a former colleague, so I can't tell you exactly what was going on. I suspect something is wrong with a URL because the AWS instance is not receiving traffic from Azure. I deleted the old "enterprise application" and created a new one with your documentation.
    Now everything works fine. Thanks for your help!!!
    Cedric

  • graham_1Pgraham_1P

    Team Member

    That is excellent to hear. I'm happy to help!

    Thanks for following up with your solution.

    Graham

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file