Grafana SAML ( keycloak ) using Apache mellon

prabhinmp · August 12, 2020, 7:33am

Hi Team,
Im using keycloak as my IDP , need to configure SSO (saml ) for grafana using apache mellon with grafana auth proxy.
After success login with IDP , I’m not kicked in grafana application. Not sure why this is happening.
Below is the configuration

Apache vhost.

<VirtualHost *:443>
ServerName grafana.xxxx.com     
    SSLEngine On
     SSLCertificateFile /etc/httpd/conf.d/ssl/xxxx.cer
     SSLCertificateKeyFile /etc/httpd/conf.d/ssl/xxxxx.key
SSLCACertificateFile /etc/httpd/conf.d/ssl/RootWcdGlobalsign.cer
SSLCertificateChainFile /etc/httpd/conf.d/ssl/IntermediateWcdGlobalsign.cer


<Location / >

    MellonEnable info
    MellonEndpointPath /mellon/
    MellonSPMetadataFile /etc/httpd/saml2/mellon_metadata.xml
    MellonSPPrivateKeyFile /etc/httpd/saml2/mellon.key
    MellonSPCertFile /etc/httpd/saml2/mellon.crt
    MellonIdPMetadataFile /etc/httpd/saml2/idp_metadata.xml

    MellonEnable "auth"
    MellonPostReplay On
    MellonSamlResponseDump On
    MellonUser "NAME_ID"
    ProxyPassInterpolateEnv On

RequestHeader set X-WEBAUTH-USER %{MELLON_user}e env=MELLON_user
RequestHeader set X-WEBAUTH-USER %{MELLON_email}e env=MELLON_email
RequestHeader set X-WEBAUTH-USER %{MELLON_username}e env=MELLON_username

**</Location>**

               ProxyPass "/"  "http://grafana.staged-by-discourse.com/"
        ProxyPassReverse "/"  "http://grafana.staged-by-discourse.com/"
   ErrorLog /var/log/httpd/grafana-sso.stg.example.cloud-error.log
        CustomLog /var/log/httpd/grafana-sso.stg.example.cloud-access.log combined
        LogLevel debug
**</VirtualHost>**

grafana.conf

[paths]

[server]

domain = grafana.xxxx.com

[database]
type = mysql
host = xxxxxxx:3306
name = grafana
user = grafana
password = xxxxxxxxxxx

[remote_cache]

[dataproxy]

[analytics]

[security]

[snapshots]

[dashboards]

[users]

[auth]

[auth.anonymous]

[auth.github]

[auth.gitlab]

[auth.google]

[auth.grafana_com]

[auth.azuread]

[auth.okta]

[auth.generic_oauth]

[auth.basic]

[auth.proxy]
auto_signup = true
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
[auth.ldap]

[smtp]

[emails]

[log]

[log.console]

[log.file]

[log.syslog]

[quota]

[alerting]

[explore]

[metrics]

[metrics.graphite]

[grafana_com]

[tracing.jaeger]

[external_image_storage]

[external_image_storage.s3]

[external_image_storage.webdav]

[external_image_storage.gcs]

[external_image_storage.azure_blob]

[external_image_storage.local]

[rendering]

[panels]

[plugins]

[plugin.grafana-image-renderer]

[enterprise]

[feature_toggles]

Please help me to solve the issue.