We're trying to setup SSO using Microsoft Entra, but we've had difficulties troubleshooting. We've been following the guide but it's less obvious to us where Auth0 diverges from Entra.
We were originally getting a Bad Gateway Error when attempting to login which seemed to be caused by nginx rejecting the requests because the headers were too long. So, we modified PRODIGY_OIDC_REQUIRED_SCOPES as suggested here.
Unfortunately, now we appear to be stuck in some kind of login loop. With the logs showing that we the following chain of redirects:
This seems to be suggesting that (1) the main page redirects to /login, (2) then redirects to login/callback on a successful login, (3) then redirects to a session, but then for some reason it then loops back to the login page as if the user hadn't been authenticated.
There's not much difference really between Auth0 and Entra setup. I suspect it's more likely that the nginx might be adding the session ID only on the way to the server to the effect that the browser is not aware of session argument and considers the request unauthorized which would cause the authentication loop.
Could you possibly test your Entra SSO setup without nginx in the middle? Just to confirm my initial hypothesis.
Another test would be to copy and paste in the browser the URI with the session argument that appears in the logs (you'd need to prefix it with the base URL for your Prodigy instance):
Hi @magdaaniol, I'm working on this with @laurejt and we had some time together to do some more troubleshooting. Hoping you can advise on what might be going on or what to try next.
To test without nginx in the loop, I used ssh with port forwarding and edited my local hosts file so that it answers to the domain name where we're testing Prodigy with SSO and which is configured in the MS Entra configuration. The only difference is that MS Entra is configured to use https and the way I'm accessing it cuts the https out of the loop. I'm manually editing redirected URLs in the browser when I'm sent to https - that may be introducing additional problems.
When I test with this setup, bypassing nginx, here's the sequence of URLs reported by the Network panel in my browser:
The callback goes to https because that's what's configured in MS Entra. I tried configuring it to test on http://localhost/ but I can't get that to work either.
We're not even getting to the session urls with this approach, and it still doesn't seem like the prodigy application registers us as being logged in.
Next thing I was going to suggest is to try to set up Prodigy running locally i.e. http with a new test Entra app (that would accept http) but I'm not sure if you can do that within your org Entra account.
I just wanted to check this way if the basic settings are correct and we are dealing with networking issues.
Also maybe you could share the screenshots of your Entra configuration (if not here than on contact@explosion.ai) just to double check?
If that doesn't work, it is probably best to have a support call? We'll DM you with Calendly link where you could book a slot.