Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Troubleshooting RBAC and OpCo Issues

 

Authentication Failed for the SP User, Tenant User, or OpCo User

Problem

Description: Service provider (SP) user, tenant user, or OpCo user authentication does not work.

Solution

The CSP administrator, SP administrator, or OpCo administrator must check the authentication method that is set for the SP user, tenant user, or OpCo user respectively.

  1. Log in to Administration portal (Global level) and select Administration > Authentication.

    The Authentication page appears.

  2. Check the authentication method for the SP user and the tenant user.
    • If the authentication method is set as Local, follow these steps:

      1. Log in to central infrastructure and run the source/etc/keystone/keystonerc command.
      2. Type Openstack and press Enter.
      3. Enter the keystone administrator password.
      4. Execute the ‘user list command and check whether the user name is listed in the keystone.
      5. If the user name is listed, then try to set the password by using the Forgot Password link on the Administration Portal login page. See Resetting Your Password

        If the user name is not available then the CSP administrator or the SP administrator must add the user in CSO. See Add Service Provider and OpCo Users .

      6. If the user does not receive an e-mail with the passcode, then set the password through Openstack command.
    • If the authentication method is set as Authentication with SSO Server, then follow these steps:

      1. Check whether the user name is listed in the SSO server
      2. Ensure that the SSO server SAML meta data is correct. Navigate to Administration > Authentication > Single Sign-On Server s > Edit to check the SAML metdata.
      3. Ensure that the DNS name of the JCS server is correct in the client server.
      4. Ensure that the portal URLs are mapped correctly in SSO and CSO server.
      5. Check whether the same user name is created in CSO with same role.
      6. Ensure that the tenant name is mapped correctly in CSO and SSO server.
    • If the authentication method is set as Authentication and Authorization with SSO Server, then follow these steps:

      1. Ensure that the user has created the user name in correct pattern in CSO for authentication and authorization
      2. Ensure that the role mapping is created correctly in CSO. A mapping between the roles defined in CSO and the roles defined in external SSO or identity-provider must be provided.
      3. Check whether the user name and role is created correctly in SSO server.
      4. Ensure that the service provider and tenant metadata URL for SAML2 of SSO server is configured correctly.

Authorization Failed for the SP User, Tenant User, or OpCo User

Problem

Description: SP user, tenant user, or OpCo user authorization does not work. While accessing some UI pages or features, Insufficient privileges error message is displayed.

Solution

To resolve the issue:

  • The CSP administrator, SP administrator or Opco administrator must check the user mapped role in CSO.

    1. Log in to Administration Portal and select Administration > Roles.

      The Roles page appears.

    2. Check whether the role type is predefined or custom role, and then check the privileges assigned to that user. Select the role name and click the pencil icon to view the privileges assigned to the user.
  • Check the browser console for Java Script error.

    Check the privilege that is causing the error. Check whether that privilege is assigned to the user.

  • Using a web browser, check the following REST API output while logging in to CSO with the user account.

    1. Access the Request URL https://<<central ms IP address >>/iamsvc/get-user-capabilities.

      The output of the rest API must have the capabilities of the logged in user.

    2. Check whether the UI assigned capabilities are matched in the REST API output.

      The JSON output file will list all the capabilities.

    If there are any issues with privileges in the JSON output file, contact Juniper Networks Technical Support team.

Password to Onboard OpCo is Not Received or has Expired

Problem

Description: OpCo administrative user did not receive any e-mail with login credentials or OpCo administrator password has expired.

Solution

To resolve the issue:

  • Access the URL for Administration Portal. Enter the user name and click Forget Password link on the login page to setup the new password. See Resetting Your Password.

  • If the OpCo administrative user did not receive the e-mail, then use Openstack command to set the password for the OpCo administrator.

  • Check the role assignment list to see if there is any issue with the role assignment.

    1. Log in to central infrastructure vm and execute the source /etc/keystone/keystonerc command.
    2. Log in to Openstack and check the output of user list, role list and role assignment list.

      For further troubleshooting, copy all the log files from the infra VM /var/log/apache2 into a folder, compress the file in *.zip format and contact Juniper Networks Technical Support team.