[SOLVED] Webapp with Konnect and MDM



  • Hi,

    I am currently standing up a new server to play around with previously unused kopano functionality. Two of these are mobile device management and webapp logins via konnect. Whilst in separation all these (webapp, mdm (by extension including z-push) and konnect) work well, when they come together things go wrong.

    1. When signed into webapp via konnect, I can not log out. When I click the button in webapp, the following error is displayed on a blank page:
      400 invalid_request - id_token_hint does not match request
      This is what I see in the konnectd syslog:
      Sep 18 01:54:01 mx2.redacteddomain.tld kopano-konnectd[30562]: level=error msg="IdentifierIdentityManager: id_token_hint does not match request" error="invalid origin: https://mail.redacteddomain.tld"
      What might be important is that I am running kopano services of subdomains. Webapp is on mail. and the ISS is pointing at meet.
      Am I missing a config option to make this work? I already have this in the webapp config:
      define('CROSS_DOMAIN_AUTHENTICATION_ALLOWED_DOMAINS', "https://meet.redacteddomain.tld");
      define('REDIRECT_ALLOWED_DOMAINS', 'https://meet.redacteddomain.tld');

    2. When konnect is used to login to webapp, mdm stops working. I am presented with the below screenshot when I click on settings in webapp or when I try to refresh the list of mobile devices:
      c7b92a5c-47ae-46fe-b712-7ade196ad185-image.png
      The z-push error log contains the below, which indicates that no translation between userids as konnect sees them and z-push expects them is happening:

    18/09/2019 02:01:03 [30046] [WARN] [AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAUAAAAwMjFFa0Z0ZVREQ05Cd2hrTkVGVitRPT0AAAAA#aaaaakwhqvba0 5isxn7p1mwrcubaaaabgaaaauaaaawmjffa0z0zvreq05cd2hrtkvgvitrpt0aaaaa] /var/www/html/z-push/backend/kopano/kopano.php:168 mapi_logon_zarafa(): Unable to setup service for provider (2)
    18/09/2019 02:01:03 [30046] [ERROR] [AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAUAAAAwMjFFa0Z0ZVREQ05Cd2hrTkVGVitRPT0AAAAA#aaaaakwhqvba0 5isxn7p1mwrcubaaaabgaaaauaaaawmjffa0z0zvreq05cd2hrtkvgvitrpt0aaaaa] KopanoBackend->Logon(): login failed with error code: 0xFFFFFFFF80040111
    18/09/2019 02:01:03 [30046] [FATAL] [AAAAAKwhqVBA0+5Isxn7p1MwRCUBAAAABgAAAAUAAAAwMjFFa0Z0ZVREQ05Cd2hrTkVGVitRPT0AAAAA#aaaaakwhqvba0 5isxn7p1mwrcubaaaabgaaaauaaaawmjffa0z0zvreq05cd2hrtkvgvitrpt0aaaaa] Exception: (AuthenticationRequiredException) - Access denied. Username or password incorrect
    

    Any help you can provide to solve these two issues is appreciated. Thank you.


  • Kopano

    @irreleph4nt ,
    You need to add the right origin in the konnectd-identifier-registration.yaml file
    so something like this

      - id: WebApp
        trusted: yes
        application_type: web
        redirect_uris:
          - https://mail.redacteddomain.tld/webapp/
          - https://mail.redacteddomain.tld/webapp/index.php
          - https://mail.redacteddomain.tld/webapp/index.php?logout
          - https://mail.redacteddomain.tld/webapp/oidc-silent-refresh.php
        origins:
          - https://mail.redacteddomain.tld
    

    Z-push does not have support for konnect at the moment so the MDM plugin can not authenticate against it so you see the access denied error.
    I have no idea if z-push will support konnect in the near future.



  • @robing
    Thank you. Reviewing my configuration I found a spelling mistake in the identifier registration. Correcting that fixed the logout issue! :)


Log in to reply