Summary

After a 4.3 upgrade, SAML authentication may fail for Controller UI users with an indication that CSRF verification failed. 

In 4.3, SAML authentication now validates the request URL against the Controller URL. This issue results from request URLs that differ from internal Controller URL, whether due to a proxy or to accounts in a multi-tenant Controller with different URLs per account.

Affected Software

This affects SAML-authenticated Controllers that are proxied or multi-tenant Controllers that have distinct URLs per account.

To confirm that you are affected by this issue, check the server log file (<controller_home>/logs/server.log), for a warning log entry containing "validateRequestedUrl failed", as in the following sample: 

[#|2017-03-07T08:28:05.275-0800|WARNING|glassfish 4.1|com.singularity.ee.controller.servlet.SAMLAuthenticationServlet|... |validateRequestedUrl failed. requestedURL: https://mycontroller.com/controller/#, controllerUrlForAccount: ...

Impact

SAML-authenticated Controller users are not able to log in.  

Resolution

To work around this issue, after upgrading to 4.3, update the internal URL using one of the following mechanisms: 

• At the Controller level, by setting the deep link URL in the domain.xml configuration file.

• At the account level, by setting the deep link URL using a REST API or by direct database update. 

AppDynamics recommends the second option, making the change at the account level using the REST API, if possible. 

Note that the URL you configure must completely match the requests URL, that is, the internal URL must include the domain name, scheme (HTTP/HTTPS), and port of the URL in the browser.

Update the Account Controller URL by REST

This is the recommended method of working around this issue. You use the update-controller-url REST API call to update the Controller URL for each account. 

Run the command from the Controller machine or any machine that has network access to the Controller. You will need to know the AppDynamics root user password.

The command format is: 

curl -k --basic --user root@system --header "Content-Type: application/json" --data '{ "controllerURL": "http://<controller>:<port>" }' http://<controller>:<port>/controller/rest/accounts/<ACCOUNT-NAME>/update-controller-url

See update-controller-url REST API call for more information on using the REST API.

Update the Account Controller URL by Database Change

If you are unable to address the Controller by REST API for any reason, you can fix the issue by updating the controller_url setting in the database, as follow: 

1. From the Controller host, navigate to the following directory in the Controller home: <controller_install_dir>/bin

2. Log in to the Controller database using the following command: 

   ./controller.sh login-db

   On Windows, use controller.bat.

3. Update the account table:
   

   select id,name,controller_url from account where name='customer1'
   update account set controller_url='https://myVIP:8090/' where name='customer1';
   commit; 

4. Verify that the controller_url is not NULL in the output of the following command:

   select id,name,controller_url from account where name='customer1'; 

5. Restart the Controller app server:

   <controller_home>/bin/controller.sh stop-appserver
   <controller_home>/bin/controller.sh start-appserver

Update at the Controller Level

To update the internal URL at the Controller level (for all accounts in the Controller), modify the domain.xml file 

1. In the Controller home directory, open domain.xml for editing

   /controller/appserver/glassfish/domains/domain1/config/domain.xml

2. Find and update the following setting with the request URL:

   <jvm-options>-Dappdynamics.controller.ui.deeplink.url=http://mycontroller:8090/controller</jvm-options>