Did anyone have a success integrating XdMod and OnDemand?

Get Help
1

Hello,

I’m curious if anyone had success integrating XdMod and OnDemand. There are a lot of topics on this forum (some of them are mine) but I didn’t find anyone with the solution yet.

Help setting up XDMoD 10.0 Dashboard integrated in OOD 2.0.28 and Keyclock(SAML) Single Sign On Authentication

I have OnDemand version: 3.1.1 and XDMoD Version: 10.5.0

On OnDemand site I see that login on XdMod site is timing out

Screenshot from 2024-03-21 12-13-52
Screenshot from 2024-03-21 12-13-521429×633 56.3 KB

I’m able to login on XdMod site but the OnDemand dashboard link doesn’t work

For authentication I use SAML Authentication with Active Directory Federated Services (ADFS) and mod_auth_mellon (not Keyloack)

I already asked on xdmod forum as well but we were not able to find a resolution.

I see Open XDMoD - Integrations Single Sign-on (SSO) Embedding docs on XdMod documentation page

where it says “The application that is integrating with Open XDMoD should contain a page like the following”

Does anyone have such page on OnDemand site and if so can someone shares it with me to see how it looks and where in the application is located?

2

At the risk of asking an obvious question, did you follow the directions here: Customizations — Open OnDemand 3.1.0 documentation

I’m aware of lots of sites that have OnDemand and XDMoD integration (including our own at OSC). I suspect there is some sort of trust / security configuration that is missing between your OnDemand host and XDMoD host.

3

No worries, thank you for responding.

On my Ondemand server:

/etc/ood/config/nginx_stage.yml
OOD_XDMOD_HOST: "https://xdmod.server"

/etc/httpd/conf.d/ood-portal.conf
Header always set Content-Security-Policy "frame-ancestors https://*.domain.com 'self'"

On my xdmod server:

/etc/xdmod/portal_settings.ini

[cors]
; this allows for specified domains (comma separated list) to
; respond with cors headers allowing third party integration
domains = “https://ondemand.server,https://ondemand.server.domain.com,https://ondemand.server/

And out of desperation (because it’s probably doesn’t need to be there):
/etc/httpd/conf.d/xdmod.conf

Header always set Content-Security-Policy “frame-ancestors https://*.domain.com ‘self’”

I don’t have anything in my /etc/httpd/conf.d/ood-portal.conf about xdmod even if I have it in /etc/ood/config/nginx_stage.yml not sure if it’s ok.

4

Yeah I’m not sure either.

It looks like you have step 1 set right in /etc/ood/config/nginx_stage.yml assuming there’s a pun_custom_env block above the entry.

Step 2 looks correct too.

Step 3 I’m not sure though. Looks like our docs are really setting up keycloak specifically. That configuration does look right though for what you are trying to do.

I’m a bit confused here too. Seems like we say you don’t, yet I see in a discourse that you shared we do in fact set something with the security_csp_frame_ancestors but I notice you have instead:

If you look here in the docs below you can see the setting, and as the previous post pointed out we have that set to the ood host:
https://osc.github.io/ood-documentation/latest/reference/files/ood-portal-yml.html?highlight=security_csp_frame_ancestors

I can’t see our settings as I don’t have access, but what happens if you set that to the host rather than what you have now?

5

I changed it to

Header always set Content-Security-Policy “frame-ancestors https://ht-hpc-ondemand.domain.com’self’”

and restarted httpd but still have the same problem.

6

I think there is an issue with mod_auth_mellon that we’re unable to replicate because we use OIDC authentication.

7

@jeff.ohrstrom can I find more info on it? What my options are? Use another autt method or wait until this will be resolved?

Thank you

8

I don’t know if you have any good ones. Changing auth would likely be a huge undertaking and you may be waiting a while for it to be resolved.

We (the developers) don’t have access to a test system with mod_auth_mellon so we kinda need community support for a thing like this. We just can’t develop it on our own. Maybe with NSF ACCESS we’ll get access to a development environment with mod_auth_mellon, but I can’t say that we will for sure.