Hello all, I'm currently trying to use Graylog 2.1 with Shibboleth and SSO via our ADFS, but I have issues and cannot find enough information to make it work. So, let's try here :)
I've correctly installed the sso-plugin (https://github.com/Graylog2/graylog-plugin-auth-sso). Also, I've installed shibboleth + configured ADFS correctly with Metadata.xml and so on. Our AD expert confirms that the exchange made between Shibboleth and ADFS is correct and works fine. I've change the Graylog authentication order, and set SSO as first. When I'm trying to log, I got a window asking for credentials (so it goes to ADFS correctly), but then even if validated by ADFS, I always end into normal graylog credentials window … ADFS will provide the following claims to Shibboleth: <Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"; nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="Remote-Upn" /> <Attribute name="http://schemas.xmlsoap.org/claims/commonname"; nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" id="Remote-Name" /> As you can see, I set the id to Remote-Upn and Remote-Name. I've also correctly configured Graylog (in web interface) to make sure to use Remote-Upn and Remote-Name (http://docs.graylog.org/en/2.1/_images/sso_1.png) Please note that I'm using graylog with HTTPS, and use Apache as reverse-proxy: <VirtualHost *:443> SSLEngine on SSLCertificateFile "/etc/graylog/ssl/graylog.onprvp.fgov.be.cer" SSLCertificateKeyFile "/etc/graylog/ssl/graylog.onprvp.fgov.be.key" ServerName graylog.onprvp.fgov.be ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> <Location /> RequestHeader set X-Graylog-Server-URL "https://graylog.onprvp.fgov.be/api/"; RequestHeader set X-Remote-User %{Remote-Upn}s ShibRequestSetting requireSession 1 AuthType shibboleth ShibExportAssertion Off Require valid-user ProxyPass http://127.0.0.1:9000/ ProxyPassReverse http://127.0.0.1:9000/ </Location> CustomLog /var/log/httpd/proxy/graylog2/access_log combined </VirtualHost> If somebody can provide me some help, it would be really nice :) Thanks in advance. Regards; -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/67a102ee-3947-4ba3-94f5-2b3da0a94bfb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
