SSO worked in classic UI but now fails in New Experience UI

I got my SAML/SSO working in the classic Edge UI which is a prerequisite for installing the New Experience UI. I then followed the instructions for the New Experience UI. I try to login to the New Experience UI and the SAML/SSO fails with:

Invalid redirect http://10.XX.XX.XX:3001/oauthCallback did not match one of the registered values

I am using AWS with load balancers handling the TLS HTTPS traffic. When configuring the apigee-sso module, I specified SSL_PROXY mode.

What do I do with this error message? Is the redirect URL supposed to be against the IP address on port 3001 or should it be against the DNS I setup for my load balancer on port 443 that forwards to the actual IP address on 3001? What determines what the redirect URL is and what are the registered values that it must match against?

0 7 601
7 REPLIES 7

SunilMax
Participant I

@Shawn Castrianni Did you get any solution for this issue? I am also having exactly the same issue

Sorry, I can't remember. It has been too long. I did fix it by changing the config file somehow. I worked with Apigee technical support to get my config file setup correctly.

Thanks, By any chance do you remember, Have you define any extra var in config file : https://docs.apigee.com/private-cloud/v4.50.00/install-new-edge-ui#installation-configuration-file.

I don't like the new instructions for the config file and ignored them and continued to use my config file for 4.19.01 and it worked fine for 4.50.00. My config file for new edge UI contains these values:

IP1=XXXipn1XXX
IP6=XXXipn6XXX
ADMIN_EMAIL=XXXXXX
APIGEE_ADMINPW=XXXadminPasswordXXX
APIGEE_PORT_HTTP_MS=8080
MSIP=$IP1
MS_SCHEME=http
EDGEUI_ENABLE_UNIFIED_UI=y
MANAGEMENT_UI_PORT=3001
MANAGEMENT_UI_IP=XXXXXX
MANAGEMENT_UI_APP_ENV=OPDK
MANAGEMENT_UI_SCHEME=https
MANAGEMENT_UI_TLS_OFFLOAD=y
MANAGEMENT_UI_PUBLIC_URIS=$MANAGEMENT_UI_SCHEME://$MANAGEMENT_UI_IP:$MANAGEMENT_UI_PORT
MANAGEMENT_UI_SSO_REGISTERED_PUBLIC_URIS=$MANAGEMENT_UI_PUBLIC_URIS
MANAGEMENT_UI_SSO_CSRF_SECRET=$APIGEE_ADMINPW
MANAGEMENT_UI_SSO_CSRF_EXPIRATION_HOURS=24
MANAGEMENT_UI_SSO_STRICT_TRANSPORT_SECURITY_AGE_HOURS=8760
MANAGEMENT_UI_SSO_ENABLED=y
MANAGEMENT_UI_SSO_CLIENT_OVERWRITE=y
MANAGEMENT_UI_SSO_CLIENT_ID=newueclient
MANAGEMENT_UI_SSO_CLIENT_SECRET=$APIGEE_ADMINPW
SHOEHORN_SCHEME=http
SHOEHORN_IP=$IP6
SHOEHORN_PORT=9000
CLASSIC_UI_IP=$MANAGEMENT_UI_IP
CLASSIC_UI_PORT=443
CLASSIC_UI_SCHEME=https
EDGEUI_PUBLIC_URIS=$CLASSIC_UI_SCHEME://$CLASSIC_UI_IP:$CLASSIC_UI_PORT
EDGEUI_SSO_REGISTERD_PUBLIC_URIS=$EDGEUI_PUBLIC_URIS
EDGEUI_SSO_ENABLED=y
EDGEUI_SSO_CLIENT_NAME=edgeui
EDGEUI_SSO_CLIENT_SECRET=$APIGEE_ADMINPW
EDGEUI_SSO_CLIENT_OVERWRITE=y
SSO_PUBLIC_URL_HOSTNAME=XXXXXX
SSO_PUBLIC_URL_PORT=443
SSO_PUBLIC_URL_SCHEME=https
MANAGEMENT_UI_SKIP_VERIFY=y
SSO_ADMIN_NAME=ssoadmin
SSO_ADMIN_SECRET=$APIGEE_ADMINPW
SKIP_SMTP=n
SMTPHOST=XXXXXX
SMTPSSL=y
SMTPPORT=465
SMTPMAILFROM=XXXXXX
SMTPUSER=XXXXXX
SMTPPASSWORD=XXXXXX

SunilMax
Participant I

Thanks @Shawn Castrianni, I guess, these are the correct configs. Apigee should have update its silent config document with HA configuration, where ui are accessed through LB.

Just want to confirm about few configs

Is "MANAGEMENT_UI_IP=XXXXXX" ec2 IP or LB address?

Is "MANAGEMENT_UI_PORT=3001" TLS or non TLS port ?

If its LB address, that means , mgmt-ui is listening on 3001 port on LB which is unlike classic UI and SSO

MANAGEMENT_UI_IP is equal to my user friendly DNS name which points to my LB

3001 is a TLS port on my LB

All of my user friendly names go to the same LB (except for SSO) using different ports:

80/443 defaults to the router/message processors to process actual proxy traffic over TLS

3001 goes to New Edge UI over TLS

8080 goes to Management API over TLS

My LB handles all the TLS

My second LB handles SSO only using 80/443 over TLS

SunilMax
Participant I