GitHub user ingox added a comment to the discussion: SAML (keycloak) and 2FA issue
My logfile output: 2026-02-16 07:52:21,938 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (qtp1438988851-25:[ctx-d70a6f3e]) (logid:0da3af37) Sending SAMLRequest id=hc3aqa1hglovqvqbeocfoie6v1l59ela 2026-02-16 07:52:21,997 DEBUG [c.c.a.ApiServlet] (qtp1438988851-25:[ctx-d70a6f3e]) (logid:0da3af37) ===END=== 172.30.205.2 -- GET command=samlSso&idpid=http://10.1.52.233:8080/realms/CloudStackTest 2026-02-16 07:52:22,211 DEBUG [c.c.a.m.ClusteredAgentManagerImpl] (AgentManager-Handler-4:[]) (logid:) SeqA 9-116026: Seq 9-116026: { Cmd , MgmtId: -1, via: 9, Ver: v1, Flags: 11, [{"com.cloud.agent.api.ConsoleProxyLoadReportCommand":{"_proxyVmId":"69","_loadInfo":"{ "connections": [], "removedSessions": [] }","wait":"0","bypassHostMaintenance":"false"}}] } 2026-02-16 07:52:22,227 DEBUG [c.c.a.m.ClusteredAgentManagerImpl] (AgentManager-Handler-4:[]) (logid:) SeqA 9-: Sending 116026 2026-02-16 07:52:22,967 INFO [c.c.c.ClusterManagerImpl] (Cluster-Heartbeat-1:[ctx-cb477470]) (logid:f81c277d) No inactive management server node found 2026-02-16 07:52:22,967 DEBUG [c.c.c.ClusterManagerImpl] (Cluster-Heartbeat-1:[ctx-cb477470]) (logid:f81c277d) Peer scan is finished. profiler: Done. Duration: 1ms , profilerQueryActiveList: Done. Duration: 0ms, , profilerSyncClusterInfo: Done. Duration: 0ms, profilerInvalidatedNodeList: Done. Duration: 0ms, profilerRemovedList: Done. Duration: 0ms,, profilerNewList: Done. Duration: 0ms, profilerInactiveList: Done. Duration: 0ms 2026-02-16 07:52:23,539 DEBUG [c.c.a.ApiServlet] (qtp1438988851-17:[ctx-b1d68ce6]) (logid:3d3ffc27) ===START=== 172.30.205.2 -- POST command=samlSso command=samlSso SAMLResponse=xxxxxxxxxx 2026-02-16 07:52:23,539 DEBUG [c.c.a.ApiSessionListener] (qtp1438988851-17:[ctx-b1d68ce6]) (logid:3d3ffc27) Session destroyed by Id : node01vohjkx2artejkjlxkmymlgo51799 , session: Session@46a1d370{id=node01vohjkx2artejkjlxkmymlgo51799,x=node01vohjkx2artejkjlxkmymlgo51799.node0,req=1,res=true} , source: Session@46a1d370{id=node01vohjkx2artejkjlxkmymlgo51799,x=node01vohjkx2artejkjlxkmymlgo51799.node0,req=1,res=true} , event: javax.servlet.http.HttpSessionEvent[source=Session@46a1d370{id=node01vohjkx2artejkjlxkmymlgo51799,x=node01vohjkx2artejkjlxkmymlgo51799.node0,req=1,res=true}] 2026-02-16 07:52:23,540 DEBUG [c.c.a.ApiSessionListener] (qtp1438988851-17:[ctx-b1d68ce6]) (logid:3d3ffc27) Session created by Id : node015dya3vlzqdfd1aq7hepegqhw31800 , session: Session@7cb761f9{id=node015dya3vlzqdfd1aq7hepegqhw31800,x=node015dya3vlzqdfd1aq7hepegqhw31800.node0,req=1,res=true} , source: Session@7cb761f9{id=node015dya3vlzqdfd1aq7hepegqhw31800,x=node015dya3vlzqdfd1aq7hepegqhw31800.node0,req=1,res=true} , event: javax.servlet.http.HttpSessionEvent[source=Session@7cb761f9{id=node015dya3vlzqdfd1aq7hepegqhw31800,x=node015dya3vlzqdfd1aq7hepegqhw31800.node0,req=1,res=true}] 2026-02-16 07:52:23,585 DEBUG [o.a.c.a.c.SAML2LoginAPIAuthenticatorCmd] (qtp1438988851-17:[ctx-b1d68ce6]) (logid:3d3ffc27) Received SAMLResponse in response to id=hc3aqa1hglovqvqbeocfoie6v1l59ela 2026-02-16 07:52:23,597 DEBUG [o.a.c.s.SAMLUtils] (qtp1438988851-17:[ctx-b1d68ce6]) (logid:3d3ffc27) SAML attribute name: uid friendly-name:null value:ingo 2026-02-16 07:52:23,599 DEBUG [c.c.u.AccountManagerImpl] (qtp1438988851-17:[ctx-b1d68ce6]) (logid:3d3ffc27) Attempting to log in user: ingo in domain 3 2026-02-16 07:52:23,600 DEBUG [o.a.c.s.SAML2UserAuthenticator] (qtp1438988851-17:[ctx-b1d68ce6]) (logid:3d3ffc27) Trying SAML2 auth for user: ingo 2026-02-16 07:52:23,604 DEBUG [c.c.u.AccountManagerImpl] (qtp1438988851-17:[ctx-b1d68ce6]) (logid:3d3ffc27) CIDRs from which account 'Account [{"accountName":"demo","id":11,"uuid":"091c4fc1-2a18-4f1a-949d-aafa6e74c2b8"}]' is allowed to perform API calls: 0.0.0.0/0,::/0 2026-02-16 07:52:23,613 DEBUG [c.c.u.AccountManagerImpl] (qtp1438988851-17:[ctx-b1d68ce6]) (logid:3d3ffc27) User: ingo in domain 3 has successfully logged in, auth time duration - 14 ms 2026-02-16 07:52:23,613 INFO [c.c.a.ApiServer] (qtp1438988851-17:[ctx-b1d68ce6]) (logid:3d3ffc27) Current user logged in under UTC timezone 2026-02-16 07:52:23,613 INFO [c.c.a.ApiServer] (qtp1438988851-17:[ctx-b1d68ce6]) (logid:3d3ffc27) Timezone offset from UTC is: 0.0 2026-02-16 07:52:23,617 DEBUG [o.a.c.s.SAMLUtils] (qtp1438988851-17:[ctx-b1d68ce6]) (logid:3d3ffc27) Adding sessionkey cookie to response: sessionkey=_2IRHtMSZxg00-KSDNzNVDULlgE;Domain=10.1.33.115;Path=/client;SameSite=Lax 2026-02-16 07:52:23,618 DEBUG [c.c.a.ApiServlet] (qtp1438988851-17:[ctx-b1d68ce6]) (logid:3d3ffc27) ===END=== 172.30.205.2 -- POST command=samlSso command=samlSso SAMLResponse=yyyyyy 2026-02-16 07:52:24,034 DEBUG [c.c.n.r.V.CheckRouterTask] (RouterStatusMonitor-1:[ctx-6416f08e]) (logid:92837167) Found 4 routers to update status. 2026-02-16 07:52:24,036 DEBUG [c.c.a.m.ClusteredAgentManagerImpl] (RouterStatusMonitor-1:[ctx-6416f08e]) (logid:92837167) Wait time setting on com.cloud.agent.api.CheckS2SVpnConnectionsCommand is 30 seconds 2026-02-16 07:52:24,037 DEBUG [c.c.a.m.ClusteredAgentAttache] (RouterStatusMonitor-1:[ctx-6416f08e]) (logid:92837167) Seq 1-7185493205469665887: Routed from 32986741344817 2026-02-16 07:52:24,037 DEBUG [c.c.a.t.Request] (RouterStatusMonitor-1:[ctx-6416f08e]) (logid:92837167) Seq 2-7185493205469665887: Sending { Cmd , MgmtId: 32986741344817, via: 2(ref-trl-6111-k-Mu24-ingo-jochim-kvm2), Ver: v1, Flags: 100111, [{"com.cloud.agent.api.CheckS2SVpnConnectionsCommand":{"vpnIps":["10.1.52.166"],"accessDetails":{"router.name":"r-73-VM","router.ip":"169.254.95.64"},"wait":"30","bypassHostMaintenance":"false"}}] } 2026-02-16 07:52:24,039 DEBUG [c.c.a.ApiServlet] (qtp1438988851-17:[ctx-8fcd3d4f]) (logid:d60a035a) ===START=== 172.30.205.2 -- GET userid=c21df00c-5576-4c8e-9582-e2ab2ed4133f&command=listUsers&response=json& 2026-02-16 07:52:24,041 DEBUG [c.c.a.ApiServlet] (qtp1438988851-17:[ctx-8fcd3d4f]) (logid:d60a035a) Verifying two factor authentication 2026-02-16 07:52:24,042 ERROR [c.c.a.ApiServlet] (qtp1438988851-17:[ctx-8fcd3d4f]) (logid:d60a035a) Two factor authentication 2FA is enabled but not verified, please verify 2FA using validateUserTwoFactorAuthenticationCode API before calling other APIs. Existing session is invalidated. 2026-02-16 07:52:24,043 DEBUG [c.c.a.ApiSessionListener] (qtp1438988851-17:[ctx-8fcd3d4f]) (logid:d60a035a) Session destroyed by Id : node015dya3vlzqdfd1aq7hepegqhw31800 , session: Session@7cb761f9{id=node015dya3vlzqdfd1aq7hepegqhw31800,x=node015dya3vlzqdfd1aq7hepegqhw31800.node0,req=1,res=true} , source: Session@7cb761f9{id=node015dya3vlzqdfd1aq7hepegqhw31800,x=node015dya3vlzqdfd1aq7hepegqhw31800.node0,req=1,res=true} , event: javax.servlet.http.HttpSessionEvent[source=Session@7cb761f9{id=node015dya3vlzqdfd1aq7hepegqhw31800,x=node015dya3vlzqdfd1aq7hepegqhw31800.node0,req=1,res=true}] 2026-02-16 07:52:24,043 DEBUG [c.c.a.ApiServlet] (qtp1438988851-17:[ctx-8fcd3d4f]) (logid:d60a035a) Verification of two factor authentication failed GitHub link: https://github.com/apache/cloudstack/discussions/12636#discussioncomment-15820537 ---- This is an automatically sent email for [email protected]. To unsubscribe, please send an email to: [email protected]
