Skip to content

Upgrade to 4.11 and pre-existent saml2 authentication settings #2548

@eligorio

Description

@eligorio
ISSUE TYPE
  • Bug Report
COMPONENT NAME
SAML2 Auth plugin
CLOUDSTACK VERSION
4.11
CONFIGURATION

Cloudstack 4.5.2 with SAML2 authentication working well on national federation.

OS / ENVIRONMENT

Clean install of Cloudstack 4.11 on Ubuntu 16.04.4 LTS pointing to a copy of 4.5.2 cloudstack production database.

SUMMARY

After upgrade from 4.5.2 to 4.11 (parallel build process) the http://IP:8080/client show an error (HTTP ERROR 503 -
Problem accessing /client/. Reason: Service Unavailable) and UI does not load.

It appears that pre-existent content of columns "key" and "certificate" of rows with "name" content "SAMLSP_X509CERT" and "SAMLSP_KEYPAIR" need some conversion, but the upgrade procedure did not made it.

If we delete the old saml rows from cloud.keystore table, the /client works but https://IP:8080/client/api?command=getSPMetadata returns an certificate different from that registered on national federation. And so, the authentication fails for our web users.

STEPS TO REPRODUCE

1-) Do a clean install of Cloudstack 4.11.
2-) Point this install to a copy of 4.5.2 production database that has SAML2 authentication enabled and working inside an federation.
3-) Run cloudstack-setup-databases.
4-) Run cloudstack-setup-management and wait for upgrade completion and cloudstack-management service start.
5-) Try to access the UI interface

EXPECTED RESULTS
Can access and use a fully functional Cloudstack UI.
ACTUAL RESULTS
HTTP ERROR 503
Problem accessing /client/. Reason:

    Service Unavailable

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions