OIDC SSO failing for service UI

I’ve configured external authentication using OpenID Connect according to the user reference guide. While I can login and use the administrative UI without any problems, the service UI login fails with the following message:

Login failed, invalid access token. (Failed to Authenticate with JWT - error Authentication failed)

I then set :debug: to true in the advanced settings to increase log verbosity and noticed that the “X-REMOTE-USER-GROUPS” request header is empty when attempting to login to the service UI. This then leads to another error:

[…] unable to match user’s group membership to an EVM role

Does anyone have an idea how to fix this? Also let me know if I can provide additional log output or configs for troubleshooting.


Appliance Version: kasparov-1.20210203001902_15acbea
OIDC Provider: Keycloak 3.4.1.Final

Here is the section of the logs containing the error
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Api::AuthController.log_request) API Request:    {:requested_at=>"2021-03-31 09:10:11 UTC", :method=>"GET", :url=>"https://selfservice.mydomain/api/auth?requester_type=ui"}
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug) authenticate(username=cjlvu, options={:require_user=>true, :timeout=>30})
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- Success: MIQ(Base.audit_success) userid: [cjlvu] - User cjlvu successfully validated by External httpd
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: <AuditSuccess> MIQ(Base.audit_success) userid: [cjlvu] - User cjlvu successfully validated by External httpd
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug) authorize_queue(username=cjlvu, options={:require_user=>true, :timeout=>30, :authorize_only=>false})
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug) user_details_from_headers(username=cjlvu)
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug) External-Auth remote user request.headers:
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER            = "cjlvu"
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-FIRSTNAME  = "Cyrill"
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-LASTNAME   = "lastname"
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-FULLNAME   = "Cyrill lastname"
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-FIRSTNAME  = "Cyrill"
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-LASTNAME   = "lastname"
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-FULLNAME   = "Cyrill lastname"
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-EMAIL      = "cyrill.lastname@mydomain"
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-DOMAIN     = ""
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   X-REMOTE-USER-GROUPS     = ""
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug) authorize_queue user details:
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   username     = cjlvu
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   fullname     = Cyrill lastname
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   firstname    = Cyrill
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   lastname     = lastname
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   email        = cyrill.vonuslar@mydomain
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   domain       =
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Authenticator::Httpd#log_auth_debug)   groups       =
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(MiqTask#update_status) Task: [182] [Active] [Ok] [Authorizing]
Mar 31 05:10:11 selfservice manageiq[2546]: WARN -- manageiq: MIQ(Authenticator::Httpd#authorize) Authentication failed for userid cjlvu, unable to match user's group membership to an EVM role
Mar 31 05:10:11 selfservice manageiq[2546]: WARN -- Failure: MIQ(Base.audit_failure) userid: [cjlvu] - Authentication failed for userid cjlvu, unable to match user's group membership to an EVM role
Mar 31 05:10:11 selfservice manageiq[2546]: WARN -- manageiq: <AuditFailure> MIQ(Base.audit_failure) userid: [cjlvu] - Authentication failed for userid cjlvu, unable to match user's group membership to an EVM role
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(MiqQueue.put) Message id: [30086],  id: [], Zone: [default], Role: [], Server: [], MiqTask id: [], Ident: [generic], Target id: [], Instance id: [], Task id: [], Command: [MiqEvent.raise_evm_event], Timeout: [600], Priority: [100], State: [ready], Deliver On: [], Data: [], Args: [["MiqServer", 1], "login_failed", {:event=>"authorize", :userid=>"cjlvu", :message=>"Authentication failed for userid cjlvu, unable to match user's group membership to an EVM role"}]
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- Success: MIQ(Base.audit_success) userid: [cjlvu] - Authentication successful for user cjlvu
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: <AuditSuccess> MIQ(Base.audit_success) userid: [cjlvu] - Authentication successful for user cjlvu
Mar 31 05:10:11 selfservice manageiq[2546]: ERROR -- manageiq: MIQ(Api::AuthController.rescue in require_api_user_or_token) AuthenticationError: Failed to Authenticate with JWT - error Authentication failed
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: MIQ(Api::AuthController.log_request) Response:       {:completed_at=>"2021-03-31 09:10:11 UTC", :size=>"0.174 KBytes", :time_taken=>"0.108 Seconds", :status=>401}
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: Filter chain halted as :require_api_user_or_token rendered or redirected
Mar 31 05:10:11 selfservice manageiq[2546]: INFO -- manageiq: Completed 401 Unauthorized in 109ms (Views: 0.1ms | ActiveRecord: 62.6ms)

I’m still looking for a solution to this issue and would appreciate any pointers. Thx!