Authorization problem with saml-nginx-keycloak-cbioportal
aghil hooshmand
Hello cBioPortal Team,
I hope you are doing well. I installed cBioPortal on Amazon Linux 2023 using the following steps:
Installed Nginx on AWS with the following configuration:
- '/' redirects to http://localhost:8080 for the cBioPortal container.
- '/admin' redirects to https://localhost:8081 for Keycloak.
Installed Keycloak 18 and PostgreSQL using Docker (port 8081). Now, https://domain/admin works, and I have set the configurations mentioned in the cBioPortal documentation.
After modifying portal.properties for the SAML section and setting always_show_public_studies=PUBLIC, I ran cBioPortal using Docker on port 8080. Without SAML in Docker Compose (-Dauthenticate), cBioPortal works, but when I use SAML in Docker, I encounter the following error:
You are not authorized to access this resource. If you think you have received this message in error, please contact us at ....
Could you please assist me in troubleshooting this issue?
Thank you.
To troubleshoot, I tried the following steps, but the error persists:
- Created some roles in Keycloak with the same names as the cancer studies and also a PUBLIC role, and assigned these roles to the user.
- Created a group with all roles and assigned the user to this group.
- Inserted the user's email into the users table in the cbioportal-database container and updated the authorities table accordingly.
this is my saml properties :
## SAML settings
filter_groups_by_appname=false
saml.sp.metadata.entityid=cbioportal
saml.sp.metadata.wantassertionsigned=true
# change this url if behind reverse proxy that handles SSL, see docs/Authenticating-Users-via-SAML.md
saml.sp.metadata.entitybaseurl=https://cbioportal.mydomain.ie:443
#saml.sp.metadata.entitybaseurl=#{null}
saml.idp.metadata.location=classpath:/idp-metadata.xml
saml.idp.metadata.entityid=https://cbioportal.mydomain.ie:443/admin/realms/cbioportal
# saml keystore settings:
saml.keystore.location=classpath:/samlKeystore.jks
saml.keystore.password=mypsw
saml.keystore.private-key.key=secure-key
saml.keystore.private-key.password=mypsw
saml.keystore.default-key=secure-key
# How to send SAML request messages to the IDP.
# Set to "specificBinding" to configure specific binding:
saml.idp.comm.binding.settings=defaultBinding
# Configure the specific binding if above is specificBinding. Leave empty if defaultBinding.
# Options: bindings:HTTP-POST, bindings:HTTP-Redirect, bindings:PAOS, profiles:holder-of-key:SSO:browser
saml.idp.comm.binding.type=
saml.idp.metadata.attribute.email=email
saml.idp.metadata.attribute.userName=username
saml.idp.metadata.attribute.role=Role
# If true it means that the user will be forced to re-authenticate, even if they have a valid session with the IDP
# it's useful when you don't have control over IDP and the IDP caches user data for to long
# causing cbioportal to CredentialsExpiredException Authentication statement is too old to be used with value <DATE>
#saml.idp.comm.binding.force-auth-n=false
# Change this to configure your custom UserDetails parser (default: org.cbioportal.security.spring.authentication.saml.SAMLUserDetailsServiceImpl)
saml.custom.userservice.class=org.cbioportal.security.spring.authentication.keycloak.SAMLUserDetailsServiceImpl
# Change this to configure to configure a custom logout URL: (default: /login.jsp?logout_success=true)
#saml.logout.url=/login.jsp?logout_success=true
saml.logout.local=false
saml.logout.url=/
aghil hooshmand
/bin/sh -c 'java ${JAVA_OPTS} -jar webapp-runner.jar --proxy-base-url https://URL_WHERE_YOU_ARE_RUNNING_CBIOPORTAL /cbioportal-webapp'
using anothr post in this group