Can somebody send me in the right direction which New-UDAuthenticationMethod to use in our environment? Also regarding https. This will be a messy post but I’m completely lost and any tips or pointing out my stupidity is welcome.
I came very far providing automation scripts with UD as the web gui. Now we need authentication to put it in production. I have very little experience with reverse proxy’s and ADFS.
My UDDashboard runs on a domain joined windows server, let’s say the domain is companyname.intra It runs on port 10001
We have an Apache reverse proxy that makes the dashboard available on https://subdomain.companyname.com (forwards port 80 to 10001, and also redirects to https using the domainname.com certificate) Managed by another team than where I am.
Lastly we have ADFS set up with a url https://adfs.companyname.com/…
Here’s what works (server.ip.address is the actual IP address of the server that runs UD)
To configure ADFS, I followed this guide: https://docs.universaldashboard.io/security/authentication/ws-federation
Start-UDDashboard -Content {
$Authentication = New-UDAuthenticationMethod -MetadataAddress 'https://adfs.companyname.com/FederationMetadata/2007-06/FederationMetadata.xml' -Wtrealm https://server.ip.address:10001
$LoginPage = New-UDLoginPage -AuthenticationMethod $Authentication
New-UDDashboard -Title "Line" -Content {
New-UDRow -Columns {
New-UDColumn -Size 12 -Endpoint {
New-UDHeading -Text "Logged in as $user"
}
}
} -LoginPage $LoginPage
} -Wait -Port 10001 -AllowHttpForLogin
So it works without the Apache reverse proxy. If I start the dashboard with the subdomain like this:
Start-UDDashboard -Content {
$Authentication = New-UDAuthenticationMethod -MetadataAddress 'https://adfs.companyname.com/FederationMetadata/2007-06/FederationMetadata.xml' -Wtrealm https://subdomain.companyname.com:10001
$LoginPage = New-UDLoginPage -AuthenticationMethod $Authentication
New-UDDashboard -Title "Line" -Content {
New-UDRow -Columns {
New-UDColumn -Size 12 -Endpoint {
New-UDHeading -Text "Logged in as $user"
}
}
} -LoginPage $LoginPage
} -Wait -Port 10001 -AllowHttpForLogin
Then the login page loads but after logging in I see this error in the ADFS event log:
‘A token with a bad token binding key was found.’
If I then change the ‘WS-Federation Passive Endpoints’ in the Relying Party Trusts in ADFS, from https://subdomain.companyname.com to https://subdomain.companyname.com/login, I get this error: Bad username or password