Hi there,
Trying to implement SSO ( Single SIgn On ) with Okta as IdP I followed the next steps:
- Install apache2 + mod_auth_mellon
- Install grafana on the same host
- Enable required apache2 modules like headers, authzn_core & authz_user and so on…
- Generate metadata & configure mod_auth_mellon
- Configure Grafana.
My Apache cfg:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<Location />
MellonEnable "info"
MellonSPPrivateKeyFile /etc/apache2/mellon/urn_grafana.key
MellonSPCertFile /etc/apache2/mellon/urn_grafana.cert
MellonSPMetadataFile /etc/apache2/mellon/urn_grafana.xml
MellonIdPMetadataFile /etc/apache2/mellon/idp-metadata.xml
MellonEndpointPath /grafana
</Location>
MellonPostDirectory "/var/cache/mod_auth_mellon_postdata"
ProxyPass /grafana http://127.0.0.1:3000
ProxyPassReverse /grafana http://127.0.0.1:3000
<Location /grafana>
MellonEnable "auth"
MellonPostReplay On
MellonSamlResponseDump On
MellonUser "NAME_ID"
ProxyPassInterpolateEnv On
RequestHeader set X-WEBAUTH-USER "%{MELLON_username}e"
</Location>
</VirtualHost>
My grafana cfg:
[paths]
logs = /var/log/grafana
[server]
[database]
[session]
[analytics]
[security]
[users]
[auth.anonymous]
[auth.github]
[auth.google]
[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = email
auto_sign_up = true
[auth.basic]
[auth.ldap]
[smtp]
[emails]
[log]
[log.console]
[log.file]
[event_publisher]
[dashboards.json]
I’ve been following the official documentation (github/UNINETT/mod_auth_mellon/wiki/GenericSetup) but looks like I’m doing something wrong.
The point is: It works partially, I mean:
When I try to access to http://X.X.X.X/grafana I’m redirected to Okta’s page to authenticate, then I’m redirected again to grafana http://X.X.X.X:3000/login but I recieve this:
[{"fieldNames":["User"],"classification":"RequiredError","message":"Required"},{"fieldNames":["Password"],"classification":"RequiredError","message":"Required"}]
Some tip? It looks like Grafana doesn’t recieve any parameter as username or passwd.
Trying to debug what parameters I recieve from Okta I didn’t figure out how to use the PHP code to print the headers.
I tried to use firefox SAMl tracer to debug this but no success…
Also looks like I’m not recieving any additional headers from Okta so I’m a little bit stuck here…
Thank you in advance.
Paul