The following information may help to troubleshoot common issues related to user authorization with role-based access for MATLAB Web App Server.
If you are unable to start the server after enabling role-based access:
This is typically due to some kind of syntax error in the JSON files. For example:
- Missing commas.
- Missing end quotes or mismatched brackets.
- User attribute in webapps_app_roles.json does not match userAttributeName in webapps_authn.json.
Refer to the logs listed in the failed start command for more details.
If you are immediately redirected to the post-logout screen ("You have logged out. To access MATLAB web apps, log back in.") after logging in:
This indicates that role mapping has failed. That is, the user was able to successfully authenticate, but when the server attempted to match the user's attributes to one of the roles in webapps_app_roles.json, no match was found.
To troubleshoot this:
- Set the logging level to "verbose" and restart the Web App Server for changes to take effect. Attempt to log in again to reproduce the issue.
- Locate the latest webapps_<timestamp>.log file captured when reproducing this issue.
- Search for the term "Role" to locate the failed mapping. The line should be:
Role mapping failed. Redirecting to logout page: /webapps/home/logout.html?afterlogout=/webapps/home/
- Check the lines immediately before this error. You may see errors regarding the attribute used to map users to roles:
- If you see "users attribute <attribute> value cannot be empty", the server was unable to obtain a value for that attribute. Try the following troubleshooting:
- Ensure that the attribute exists for all users.
- Check that the Web App Server application is authorized to request this information. This is configured on the IdP side, typically when registering the Web App Server application with the IdP. For an example of how to add additional claims, see the "Configuring Token Claims" section here: https://www.mathworks.com/matlabcentral/answers/784521-how-do-i-setup-matlab-web-app-server-authentication-and-authorization-with-azure-ad
- If you are unable to authorize additional claims, consider using another attribute that has already been authorized. You may use an external tool to decode the token to observe available attributes.
- If you see "users attribute <attribute> value cannot be an array", ensure that the attribute you are using for user authorization returns a singular value or use a different attribute.
- If no additional errors appear about the role mapping error, this typically indicates that the attribute value was obtained successfully but did not match any role.
- Confirm with your IdP that the attribute value for the user that is logging in matches what is in the webapps_app_roles.json file.
- For some attributes, you may test the value being returned by doing the following:
- Disable role-based access by renaming the webapps_app_roles.json file.
- In the webapps_authn.json file, set the displayName to be the attribute you are using for user authorization.
- Restart the Web App Server.
- Log in as the user you are attempting to authorize.
- Observe the name displayed in the upper-right corner to determine the correct value for that attribute for this user.