AWS Application Load Balancer with OneLogin Giving 561 Authentication Error

Question

I am trying to integrate with OneLogin using an AWS Application Load Balancer. I've followed the instructions here . I can go through the onboarding flow, but when I finish entering my information the page yields a 561 Authentication Error .

Load Balancer Information

It's configured with a security group that:

• Allows all ingress traffic from the internet on HTTP and HTTPS.
• Allows outbound traffic from anywhere on HTTPS.

It listens on HTTPS: 443, with a valid SSL cert. This listener has a rule for OIDC authentication that's configured as follows:

Authenticate using OIDC
Issuer: https://openid-connect.onelogin.com/oidc
Token endpoint: https://openid-connect.onelogin.com/oidc/token
User info endpoint: https://openid-connect.onelogin.com/oidc/me
Authorization endpoint: https://openid-connect.onelogin.com/oidc/auth
Session cookie: AWSELBAuthSessionCookie
Session timeout: 604800
On unauthenticated: authenticate
Scope: openid profile

(client ID and client secret omitted)

After this it points to a target group that routes to an ECS instance. Without this authentication step, the ECS instance works as expected and the application appears.

Response Information

Request Headers, after login (identifying information omitted):

:authority: ***
:method: GET
:path: /oauth2/idpresponse?code=***&state=***
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,fr-FR;q=0.8,fr;q=0.7
cache-control: max-age=0
referer: https://***.onelogin.com/login2/?return=***
sec-fetch-dest: document
sec-fetch-mode: navigate
sec-fetch-site: cross-site
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36

Response headers:

content-length: 558
content-type: text/html
date: Thu, 09 Jul 2020 17:08:10 GMT
server: awselb/2.0
status: 561

I'm just kind of stumped on what part of the flow things are going wrong. The docs for AWS ELBs state this about 561 error codes:

HTTP 561: Unauthorized You configured a listener rule to authenticate users, but the IdP returned an error code when authenticating the user.

So I imagine something is going wrong with the OneLogin part. Any ideas would be appreciated. Thank you!

Answer 1

I got access to the application configuration and found that the Token Endpoint was set to Web instead of POST. Updating it correctly solved the problem. Thank you!