Federating Grafana with apache2 + mod_auth_mellon

Hi there,

Trying to implement SSO ( Single SIgn On ) with Okta as IdP I followed the next steps:

  1. Install apache2 + mod_auth_mellon
  2. Install grafana on the same host
  3. Enable required apache2 modules like headers, authzn_core & authz_user and so on…
  4. Generate metadata & configure mod_auth_mellon
  5. Configure Grafana.

My Apache cfg:

<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
<Location />
    MellonEnable "info"
    MellonSPPrivateKeyFile /etc/apache2/mellon/urn_grafana.key
    MellonSPCertFile /etc/apache2/mellon/urn_grafana.cert
    MellonSPMetadataFile /etc/apache2/mellon/urn_grafana.xml
    MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
    MellonEndpointPath /grafana
</Location>
	MellonPostDirectory "/var/cache/mod_auth_mellon_postdata"
	ProxyPass /grafana http://127.0.0.1:3000
	ProxyPassReverse /grafana http://127.0.0.1:3000
<Location /grafana>
    MellonEnable "auth"
    MellonPostReplay On
    MellonSamlResponseDump On
    MellonUser "NAME_ID"
    ProxyPassInterpolateEnv On
	RequestHeader set X-WEBAUTH-USER "%{MELLON_username}e"
</Location>
</VirtualHost>

My grafana cfg:

[paths]
logs = /var/log/grafana
[server]
[database]
[session]
[analytics]
[security]
[users]
[auth.anonymous]
[auth.github]
[auth.google]
[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = email
auto_sign_up = true
[auth.basic]
[auth.ldap]
[smtp]
[emails]
[log]
[log.console]
[log.file]
[event_publisher]
[dashboards.json]

I’ve been following the official documentation (github/UNINETT/mod_auth_mellon/wiki/GenericSetup) but looks like I’m doing something wrong.

The point is: It works partially, I mean:

When I try to access to http://X.X.X.X/grafana I’m redirected to Okta’s page to authenticate, then I’m redirected again to grafana http://X.X.X.X:3000/login but I recieve this:

[{"fieldNames":["User"],"classification":"RequiredError","message":"Required"},{"fieldNames":["Password"],"classification":"RequiredError","message":"Required"}]

Some tip? It looks like Grafana doesn’t recieve any parameter as username or passwd.
Trying to debug what parameters I recieve from Okta I didn’t figure out how to use the PHP code to print the headers.
I tried to use firefox SAMl tracer to debug this but no success…
Also looks like I’m not recieving any additional headers from Okta so I’m a little bit stuck here…

Thank you in advance.

Paul

@pauljane I’m working on a similar approach, so having the same issue. Have you figured it out yet?

[SOLVED]: Hi there, I finally get it working over HTTP.
Now I have a different problem when trying to switch to HTTPS i get a “400 Bad request” error.

I tried to debug with browser SAML debuggers but no luck.

Context:

I build an authproxy stack with mod_auth_mellon in AWS with the following configuration:

grafana-sso.example.com is a Route53 FQDN pointing to a LB. This LB points to a TG which contains an EC2 Instance with Apache24 + mod_auth_mellon and some other modules lihe headers, proxy and so on…
This EC2 instance does reverse proxy to Grafana.

My config:

CAN NOT POST MORE THAN 2 LINKS SO I CAN NOT SHARE THE CFG FILES
Contact me for a howto guide if you want. I’ll be glad to help. :slight_smile:

If I put http:// everything works fine except some warning message that says that data is going to be sent over HTTP and that’s insecure. So I change http to https and get this:

Mixed Content: The page at ‘EICHTTPS://grafana-sso.stg.example.cloud/mellon/postResponse’ was loaded over HTTPS, but requested an insecure favicon ‘http://grafana-sso.stg.example.cloud/mellon/login?ReturnTo=EICHTTPS%3A%2F%2Fgrafana-sso.stg.example.cloud%2Ffavicon.ico&IdP=EICHTTP%3A%2F%2Fwww.okta.com%2Fexxxxxxxxxxxxxxx7’. This content should also be served over HTTPS.

So at some point something is requesting an HTTP request but I’ve been debugging this for two days without success. Any ideas??

Hi,
Am trying to do the same what would be values for following in Okta:
Single Sign On URL
ResponseRecipient URL
Destination URL:
Audience Restriction:
Default Relay State:

After configuration I get following error, any idea about it
The requested URL /mellon/post was not found on this server.