Vision Client SSO Login on Linux IGEL (Ubuntu 18.04)

We are testing vision client launcher on IGEL machines (very small, portable computers) and when we attempt to login into a site using SSO, we are never redirected to a web browser. In linux it is a chromium browser.

Normally from our windows instances we are redirected to a Chrome browser, the SAML response made and processed, and then we can go back to the vision client launcher.

@jspecht

Thanks,

Nick

Are there any related exceptions or error messages in the vision client logs?

We are looking at visionclientlauncher.log and there is no message in there related to the content or timestamps that we are looking for. Is there someone else to look?

Here is what we can see:

Starting Java with the following parameters: nohup /root/.ignition/cache/resources/runtimes/11.0.10/bin/java -classpath /root/.ignition/cache/resources/platform/launchclient.jar/00000000D8878510/launchclient.jar -Djavaws.sr.gateway.addr.0=https://HIDDEN IP ADDRESS -Djavaws.sr.launchts=1622747548346 -Djavaws.sr.main=com.inductiveautomation.factorypmi.application.runtime.ClientLaunchHook -Djavaws.sr.platform.edition= -Djavaws.sr.platform.plugins= -Djavaws.ignition.sso=true -Xms64M -Xmx256M -Djavaws.sr.memory.init=64M -Djavaws.sr.memory.max=256M -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=false -Djavaws.sr.screen=0 -Djavaws.sr.scope=C -Djavaws.sr.project=MCO1_New com.inductiveautomation.ignition.client.launch.BootstrapSwing &

Which specific version of Ignition are you on?

When you click the button to launch your web browser for logging into the IdP, does it simply do nothing? Do you see a popup window hidden in the background with an error message like “Unable to open login page.”?

I just tested the SAML IdP login flow from a vision client in an Ubuntu 18.04.5 Desktop VM against Ignition 8.1.5 - worked fine when default browser was FF and when it was set to Chromium. Maybe there is something specific to the device that is causing problems. Hopefully there is an error dialog pop up that’s in the background that will give us more insight into the issue, otherwise diagnosing the issue will be much trickier.

Yes - diagnostics inside the actual client (Ctrl + Shift + F7 is the shortcut if the menubar is disabled).

1 Like

Oops, actually, you won’t have access to the client diagnostics at this point in time. What you can do is take the ‘Starting Java with the following parameters’ line and directly run it in a terminal, e.g.:

/root/.ignition/cache/resources/runtimes/11.0.10/bin/java -classpath /root/.ignition/cache/resources/platform/launchclient.jar/00000000D8878510/launchclient.jar -Djavaws.sr.gateway.addr.0=https://HIDDEN IP ADDRESS -Djavaws.sr.launchts=1622747548346 -Djavaws.sr.main=com.inductiveautomation.factorypmi.application.runtime.ClientLaunchHook -Djavaws.sr.platform.edition= -Djavaws.sr.platform.plugins= -Djavaws.ignition.sso=true -Xms64M -Xmx256M -Djavaws.sr.memory.init=64M -Djavaws.sr.memory.max=256M -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=false -Djavaws.sr.screen=0 -Djavaws.sr.scope=C -Djavaws.sr.project=MCO1_New com.inductiveautomation.ignition.client.launch.BootstrapSwing

Then you should be able to see any informational logging we do in stdout/stderr in the terminal.

1 Like

When we launch the vision client using command line, it opens a GUI canvas with login button. Clicking the button triggers a short spiral and then static screen. Here is the terminal output

Is there an IP.java class missing. My understanding is the SAML API call exchange need to have a web-browser head for execution. Is there any way we can parameterize (pass in) the path for the browser to use. Seems like in this IGEL instance of ubuntu it is not finding a web browser or possibly it’s not finding the display to launch the browser within (?).

If we launch the client launcher, here is the stderr/out:
nohup.out.txt (26.5 KB)

Also have not found any indicative diagnostic in visionclientlauncher.log file.

No, I think “HIDDEN IP ADDRESS” is literally being used as part of the gateway address parameter, causing the Java command line parsing to fail in a weird way and think it should start loading a main class called “IP”.

Did you copy and paste this from something and forget to put an actual IP in there?

copy/pasted. Platinum blonde today…

I usually tell people to pull the command being executed by the launcher out of their own launcher logs rather than copy the one from my machine because there are subtle differences in some of the parameters/paths.

yea that’s where I got it when I tested on my own machine (as suggested in your other post). we’re doing this all async & remotely hence la booBoo…

So here is the console output from running the client launch command in an interactive shell:

WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by de.javasoft.plaf.synthetica.SyntheticaLookAndFeel (file:/root/.ignition/cache/resources/platform/synthetica-3.1.1.jar/00000000162B46C0/synthetica-3.1.1.jar) to method sun.swing.DefaultLookup.setDefaultLookup(sun.swing.DefaultLookup)
WARNING: Please consider reporting this to the maintainers of de.javasoft.plaf.synthetica.SyntheticaLookAndFeel
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

And the command itself which we copied verbatim from visionclientlauncher.log file:

/root/.ignition/cache/resources/runtimes/11.0.10/bin/java

-classpath /root/.ignition/cache/resources/platform/launchclient.jar/00000000D8878510/launchclient.jar

-Djavaws.sr.gateway.addr.0=https://us04085nt110igg.s04085.us.wal-mart.com:8043

-Djavaws.sr.launchts=1624474156716

-Djavaws.sr.main=com.inductiveautomation.factorypmi.application.runtime.ClientLaunchHook

-Djavaws.sr.platform.edition= -Djavaws.sr.platform.plugins= -Djavaws.ignition.sso=true

-Xms64M -Xmx256M -Djavaws.sr.memory.init=64M -Djavaws.sr.memory.max=256M

-Dsun.java2d.d3d=false -Dsun.java2d.noddraw=false -Djavaws.sr.screen=0 -Djavaws.sr.scope=C

-Djavaws.sr.project=MCO1_New com.inductiveautomation.ignition.client.launch.BootstrapSwing &

The behaviour was same as when we launch the project using client launcher.

  1. window opens with login button
  2. click on it and the cursor animates/spirals as short while
  3. nothing else happens (when normally SSO login would open a web browser and chunk through an API exchange with the SAML server)

I just noticed the /root/ in your logs. And you say it is Ubuntu. There’s so much out there saying to never run GUIs as root that you might be running into a limit that Ubuntu enforces.

Try using a regular user account instead of root.

Then set your display manager to autologin to the designated regular user, if that’s the kind of startup you want.

Thanks @pturmel for your thoughts. We’ll test using a more vanilla user.

@Kevin.Herron
Is there an argument to tell the launcher where chrome can be found? We put chrome on the device to see if the launcher would find it and launch it, but it did not.

No it delegates to Java’s Desktop.browse and if that’s not available, which I suppose is possible since you’re running as root on Linux, falls back I think to whatever xdg-open is configured for.

Hey @Kevin.Herron

So we made a little more progress. I think Phil’s (@pturmel ) suggestion may have been the huckleberry. Still not working but get more diagnostic info.

Your thoughts?

Here are the stdout & stderr from running the command in an interactive shell:

I’m thinking it may be puking on the SSL cert that the client launcher first needs the user to accept. This is a team effort so I’m not actually driving the test vehicle…

StdErr


nohup: ignoring input and appending output to 'nohup.out'
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by de.javasoft.plaf.synthetica.SyntheticaLookAndFeel (file:/userhome/.ignition/cache/resources/platform/synthetica-3.1.1.jar/00000000162B46C0/synthetica-3.1.1.jar) to method sun.swing.DefaultLookup.setDefaultLookup(sun.swing.DefaultLookup)
WARNING: Please consider reporting this to the maintainers of de.javasoft.plaf.synthetica.SyntheticaLookAndFeel
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

(java:15378): GLib-GIO-WARNING **: 19:40:00.553: /usr/share/applications/defaults.list contains a [Added Associations] group, but it is not permitted here.  Only the non-desktop-specific mimeapps.list file may add or remove associations.
gstswitcher: current: 1.0, requested: 1.0, wanted: 1.0
[15475:15475:0629/194000.952797:ERROR:sandbox_linux.cc(374)] InitializeSandbox() called with multiple threads in process gpu-process.
[15477:15486:0629/194001.120868:ERROR:cert_issuer_source_aia.cc(31)] Error parsing cert retrieved from AIA (as DER):
ERROR: Failed parsing Certificate SEQUENCE
ERROR: Failed parsing Certificate

[15477:15486:0629/194001.121451:ERROR:cert_issuer_source_aia.cc(31)] Error parsing cert retrieved from AIA (as DER):
ERROR: Failed parsing Certificate SEQUENCE
ERROR: Failed parsing Certificate

[15477:15483:0629/194001.121810:ERROR:ssl_client_socket_impl.cc(959)] handshake failed; returned -1, SSL error code 1, net_error -202
[15477:15483:0629/194001.121911:ERROR:ssl_client_socket_impl.cc(959)] handshake failed; returned -1, SSL error code 1, net_error -202
[15477:15486:0629/194018.051437:ERROR:cert_issuer_source_aia.cc(31)] Error parsing cert retrieved from AIA (as DER):
ERROR: Failed parsing Certificate SEQUENCE
ERROR: Failed parsing Certificate

[15477:15486:0629/194018.051850:ERROR:cert_issuer_source_aia.cc(31)] Error parsing cert retrieved from AIA (as DER):
ERROR: Failed parsing Certificate SEQUENCE
ERROR: Failed parsing Certificate

[15477:15483:0629/194018.052152:ERROR:ssl_client_socket_impl.cc(959)] handshake failed; returned -1, SSL error code 1, net_error -202
[15477:15483:0629/194018.289492:ERROR:ssl_client_socket_impl.cc(959)] handshake failed; returned -1, SSL error code 1, net_error -202
[15477:15483:0629/194018.449936:ERROR:ssl_client_socket_impl.cc(959)] handshake failed; returned -1, SSL error code 1, net_error -202
[15477:15483:0629/194018.635378:ERROR:ssl_client_socket_impl.cc(959)] handshake failed; returned -1, SSL error code 1, net_error -202
[15477:15483:0629/194018.809652:ERROR:ssl_client_socket_impl.cc(959)] handshake failed; returned -1, SSL error code 1, net_error -202
[15477:15483:0629/194018.994649:ERROR:ssl_client_socket_impl.cc(959)] handshake failed; returned -1, SSL error code 1, net_error -202
[15477:15483:0629/194019.178900:ERROR:ssl_client_socket_impl.cc(959)] handshake failed; returned -1, SSL error code 1, net_error -202
[15477:15483:0629/194019.340925:ERROR:ssl_client_socket_impl.cc(959)] handshake failed; returned -1, SSL error code 1, net_error -202
[15477:15483:0629/194019.524163:ERROR:ssl_client_socket_impl.cc(959)] handshake failed; returned -1, SSL error code 1, net_error -202
[15477:15483:0629/194019.692786:ERROR:ssl_client_socket_impl.cc(959)] handshake failed; returned -1, SSL error code 1, net_error -202
[15477:15483:0629/194019.871982:ERROR:ssl_client_socket_impl.cc(959)] handshake failed; returned -1, SSL error code 1, net_error -202


Just to add closure to this thread, we never resolved the Vision Client Launcher issue (chunking SAML api’s in a web browser head to the JVM launch).

Work-around is to switch to Perspective. Vastly improved framework!