SSO configuration Cockpit default app prevents login

What product/components do you use and which version/fix level?

Cumulocity IoT 10.11.xxxx

What are trying to achieve? Please describe in detail.

SSO configuration:
in my configuration by default SSO users get limited access rights and only one custom application, that they can open. SSO works fine and a user is created on the platform. Unfortunately, when I try to login with this user, it doesn’t work. In the URL I can see, that it tries to open Cockpit default application, where my user does not have any access rights.
Any idea how to configure default application for a SSO user?

Hi Nick,

the default app cannot be set especially for SSO users.
You would need to modify the overall default application, which should be an application all users have access to - by default this is “Cockpit”.

https://cumulocity.com/guides/users-guide/administration/#changing-application-settings

1 Like

Hey Kai,

thanks for your reply!

Well that is unfortunate… the case was build to utilize external SSO service to configure access to different applications based on their user groups.
I have multiple apps, so overriding cockpit would solve it for just one group of users…

Any ideas on how to get around it? The only thing I can think of now is to turn default Cockpit to an Application switcher…

Hi Nick,

not sure if I’m missing something, but setting the default application is unrelated to SSO. The default application is per tenant and doesn’t rely on any user context. Therefore it doesn’t matter if a user actually signs in using SSO.

You could implement a web app, which sole purpose is to check a users role and then forward the user to the required application. This web app would be the default application on the tenant.

Best regards
Christian

Hi,
sorry in advance if I missed the point. But in the beginning I had many access denied problems on login until I found out this fact:

The operator how wants to login, needs to click a link or button or similar, this link can contain the “login / startup application”.

What I observe is this

One can launch different applications by putting the name of the application to the link. And the authentication runs against this application.

https://XXX.adamos.com/apps/devicemanagement/index.html#/  -> App.1 (devicemanagement)
https://XXX.adamos.com/apps/administration/index.html#/    -> App.2 (administration)

and so on…

A user with permission to App.1 should use a start-link with App.1 name in it. And so further…

Maybe it helps … ?

BR
Manfred

Hey Christian,
yes, setting a default application for the tenant is not connected to SSO.
The problem with SSO: even if I open a custom application with SSO user after login, it redirects this user to default application of the tenant, which results in forbidden in this case
Example:

  1. Open {{url}}/apps/commercial-cockpit/index.html#/
  2. Login screen is shown
  3. Choose login with SSO and login
  4. Get forbidden with {{url}}/apps/cockpit/index.html
    When I write this now, it feels more like a bug… I’ve created a ticket with SAG support, will update here on the solution:
    https://getsupport.softwareag.com/servicedesk/customer/portal/2/SI-476158
    Best,
    Nick
1 Like

Hi Nick,

I saw the answer from the ticket SI-476158 :
Send a POST request on /tenant/options endpoint with body:
{“category”: “sso”,“value”: “false”,“key”: “sso-redirect-default-application”}
Same issue.
With the additional tip from Manfred (use URL with link to the custom app) it works.
e.g. if the user has only privileges for “my-cockpit”, open {{url}}/apps/my-cockpit/index.html#/
I tested this successfully, so the combination of key: sso-redirect-default-application and custom URL works.

Regards, Christian

1 Like