When an end-user attempts to login to Chef Automate which leverages an external authentication system (LDAP/SAML) they may be greeted with a 401 'unauthorised':
Aug 17 17:04:49 chef-node-01 hab: automate-load-balancer.default(O): - [17/Aug/2020:17:04:49 +0000] "GET /session/callback?code=cvpfaiawj2r3ma5jbswebmavk&state=wZmszfm6zKm-5Q%3D%3D HTTP/1.1" 401 "0.004" 13 "https://chef.automate.io/dex/auth/ldap?req=ebp3k6mvp3cvih5ejjgmv5uyk" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36" "10.237.249.132:10115" "401" "0.004" 735
|Chef Infra Server||all||Standalone|
The majority of the LDAP troubleshooting can be found at https://automate.chef.io/docs/ldap/#troubleshooting. There are various issues highlighted through out the guidance here and the specifics of the behaviour may point towards environment/configuration issues outlined there.
If you have exhausted the possibilities listed in https://automate.chef.io/docs/ldap/#troubleshooting then there are a few additional things potentially in play when an end user is authenticating through SAML/LDAP via a browser:
- timezone - the host on which the browser is located should have time/timezone correctly configured
- browser cache - a browser can cache the incorrect credentials and recall these when attempting to login
- The automate address they use is not a bookmarked URL containing a stale session token
- anything else that might apply to your organisation (security software which would block the authenticating requests or observe the SAML behaviour with Automate with a whitelist requirement
If you have additional dependencies revolving around IAM then you should also read Issues with compliance report uploads, user logins, UI permissions after upgrade . Validating that a recent upgrade or change in your IAM policies is not impeding your users access is also a necessary follo-on step.