Issue connecting to SCIM Bridge on Azure Container App

Options
jorgensq
jorgensq
Community Member
edited April 18 in SCIM Bridge

After installing and configuring the app with the correct SCIM-session etc, when i try to access the URL, i get the following message:

upstream connect error or disconnect/reset before headers. retried and the latest reset reason: remote connection failure, transport failure reason: delayed connect error: 111

In the logs on the container, there are no unusual entries when starting up the container.

2024-04-18T20:26:53.29551  Connecting to the container 'op-scim-bridge'...
2024-04-18T20:26:53.31655  Successfully Connected to container: 'op-scim-bridge' [Revision: 'ding-ca-1p-scimbridge-prod--XXX', Replica: 'ding-ca-1p-scimbridge-prod--utslpq6']
2024-04-18T20:20:28.616592804Z 8:20PM INF 1Password SCIM bridge, starting up application=op-scim build=209011 hostname=ding-ca-1p-scimbridge-prod--XXX instance_id=g2tgepia version=2.9.1
2024-04-18T20:20:28.616643419Z 8:20PM INF registering new health component application=op-scim build=209011 component=RedisCache hostname=ding-ca-1p-scimbridge-prod--XXX instance_id=g2tgepia service=health version=2.9.1
2024-04-18T20:20:28.616761315Z 8:20PM INF starting to poll components for health reports application=op-scim build=209011 hostname=ding-ca-1p-scimbridge-prod--XXX instance_id=g2tgepia service=health version=2.9.1
2024-04-18T20:20:28.617445940Z 8:20PM INF registering new health component application=op-scim build=209011 component=CertificateManager hostname=ding-ca-1p-scimbridge-prod--XXX instance_id=g2tgepia service=health version=2.9.1
2024-04-18T20:20:28.617608763Z 1.713471628617399e+09    info    maintenance started background certificate maintenance  {"cache": "0xc000168d80"}
2024-04-18T20:20:28.618243950Z 8:20PM INF starting certificate manager application=op-scim build=209011 component=CertificateManager domain=ding-ca-XXX.westeurope.azurecontainerapps.io hostname=ding-ca-1p-scimbridge-prod--XXX instance_id=g2tgepia version=2.9.1
2024-04-18T20:20:28.618439771Z 8:20PM INF registering new health component application=op-scim build=209011 component=SCIMServer hostname=ding-ca-1p-scimbridge-prod--XXX instance_id=g2tgepia service=health version=2.9.1
2024-04-18T20:20:28.619359726Z 8:20PM INF starting 1Password TLS SCIM bridge server addr=:8443 application=op-scim build=209011 component=SCIMServer hostname=ding-ca-1p-scimbridge-prod--XXX instance_id=g2tgepia version=2.9.1
2024-04-18T20:20:28.619393919Z 8:20PM INF waiting for bearer token to begin confirmation user watcher application=op-scim build=209011 component=ConfirmationWatcher hostname=ding-ca-1p-scimbridge-prod--XXX instance_id=g2tgepia version=2.9.1
2024-04-18T20:20:28.619600756Z 8:20PM INF waiting for bearer token to begin start provision user watcher application=op-scim build=209011 component=StartProvisionWatcher hostname=ding-ca-1p-scimbridge-prod--XXX instance_id=g2tgepia version=2.9.1
2024-04-18T20:20:28.619841158Z 8:20PM INF registering new health component application=op-scim build=209011 component=StartProvisionWatcher hostname=ding-ca-1p-scimbridge-prod--XXX instance_id=g2tgepia service=health version=2.9.1
2024-04-18T20:20:28.619847427Z 8:20PM INF registering new health component application=op-scim build=209011 component=ConfirmationWatcher hostname=ding-ca-1p-scimbridge-prod--XXX instance_id=g2tgepia service=health version=2.9.1

Any pointers on where to navigate would be awesome.

(FTI: when SCIM-config was not present, the container loaded the webpage with two out of three checkmarks). I have not changed any config on the container, just uploaded the base 64 encoded SCIMSESSION data.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • hemal.g_1p
    hemal.g_1p
    Options

    Hi @jorgensq

    Sorry to know you are having this issue with your SCIM bridge deployment. Lets try to figure out whats going wrong here:
    1) Can you check the firewall options and confirm the port used by the container application is open?
    2) Confirm there are no network settings that could be causing issues with the network?
    3) Does the same error occur when trying to access the container application from another network or location?
    4) Can you confirm if you are able to access the SCIM bridge and authenticate with your bearer token through the web interface?

  • jorgensq
    jorgensq
    Community Member
    Options

    Thanks for the reply @hemal.g_1p .

    After much trying around, i found some settings-options for another application you had some documentation for.

    Turns out the guide you have are missing the fact that Azure container Apps have their own TLS certificate and does not need the Lets Encrypt functionality (in fact, you HAVE to turn it off on stock-settings to get it to work.

    So: First to answer your questions:

    1: I can reach the application, there was no firewall issues.
    2: This is a very broad question, but the container was not recieving traffic, due to it trying to mount the lets Encrypt certificate.
    3: Yes, this was persistant across networks.
    4: I was not -> when i tried i got the error message.

    TLDR: The settings needed to be set in adition to your env-variables on https://github.com/1Password/scim-examples/blob/main/azure-container-apps/aca-op-scim-bridge.yaml was:

                {
              name: 'OP_DOMAIN'
              value: 'YOURDOMAIN.1password.eu'
            }
            {
              name: 'OP_LETSENCRYPT_DOMAIN'
              value: ''
            }