Summary
After a 4.3 upgrade, SAML authentication may fail for Controller UI users with an indication that CSRF verification failed.
In 4.3, SAML authentication now validates the request URL against the Controller URL. This issue results from request URLs that differ from internal Controller URL, whether due to a proxy or to accounts in a multi-tenant Controller with different URLs per account.
Affected Software
This affects SAML-authenticated Controllers that are proxied or multi-tenant Controllers that have distinct URLs per account.
To confirm that you are affected by this issue, check the server log file (<controller_home>/logs/server.log), for a warning log entry containing "validateRequestedUrl failed", as in the following sample:
Impact
SAML-authenticated Controller users are not able to log in.
Resolution
To work around this issue, after upgrading to 4.3, update the internal URL using one of the following mechanisms:
At the Controller level, by setting the deep link URL in the domain.xml configuration file.
At the account level, by setting the deep link URL using a REST API or by direct database update.
AppDynamics recommends the second option, making the change at the account level using the REST API, if possible.
Note that the URL you configure must completely match the requests URL, that is, the internal URL must include the domain name, scheme (HTTP/HTTPS), and port of the URL in the browser.
Update the Account Controller URL by REST
This is the recommended method of working around this issue. You use the update-controller-url REST API call to update the Controller URL for each account.
Run the command from the Controller machine or any machine that has network access to the Controller. You will need to know the AppDynamics root user password.
The command format is:
See update-controller-url REST API call for more information on using the REST API.
Update the Account Controller URL by Database Change
If you are unable to address the Controller by REST API for any reason, you can fix the issue by updating the controller_url setting in the database, as follow:
- From the Controller host, navigate to the following directory in the Controller home: <controller_install_dir>/bin
Log in to the Controller database using the following command:
On Windows, use controller.bat.
Update the account table:
Verify that the controller_url is not NULL in the output of the following command:
Restart the Controller app server:
Update at the Controller Level
To update the internal URL at the Controller level (for all accounts in the Controller), modify the domain.xml file
In the Controller home directory, open domain.xml for editing
Find and update the following setting with the request URL: