CODEWITHSUNDEEP
databasetime-seriesquestdb
Javier Ramirez
Javier Ramirez

Reputation: 4032

QuestDB and PingFederate "Log in with other account"

I am configuring QuestDB Enterprise for SSO with PingFederate. I have gone through the config at the docs and everything is looking good on PingFederate. I have also added to my server.conf file this:

acl.oidc.enabled=true
acl.oidc.ropc.flow.enabled=false
acl.oidc.groups.claim=groups
acl.oidc.state.required=true
acl.oidc.tls.validation.enabled=false
acl.oidc.redirect.uri=https://MY_QUESTDB_DOMAIN

acl.oidc.configuration.url=https://REDACTED/.well-known/openid-configuration
acl.oidc.client.id=REDACTED

I have mapped three of my LDAP groups to QuestDB groups, using external aliases.

create group group_analysts with external alias 'CN=Analysts,OU=AADDC Users,DC=ad,DC=questdb,DC=de';
create group group_admins with external alias 'CN=Admins,OU=AADDC Users,DC=ad,DC=questdb,DC=de';
create group group_contract with external alias 'CN=Contract,OU=AADDC Users,DC=ad,DC=questdb,DC=de';

I think this should be it, but whenever I try to log in with any user from those groups, the SSO process seems to go through and the redirect to the QuestDB page is working. But rather than showing the QuestDB console, I see a blank page saying "Log in with other account"

Upvotes: 0

Views: 15

Answers (1)

Javier Ramirez
Javier Ramirez

Reputation: 4032

The mapping was already good, but I hadn't notice that not all users can see the Web Console in QuestDB, only the ones with http grants. This fixed it:

GRANT http TO group_analysts;
GRANT http TO group_admins;
GRANT http TO group_contract;

Note that if this is the only grant, the user will be able to log in and browse the web console, but trying to SELECT from any table will cause an error. You can, for example, grant permissions to all the tables with:

GRANT SELECT ON ALL TABLES TO group_admins;

Upvotes: 0

Related Questions