...
Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) kerberos to access multiple Insights applications. The service authenticates the end user for all the applications the user has rights to and eliminates further prompts when the user switches applications during the same sessioninsights and grafana the applications. On the back end, SSO is helpful for logging user activities as well as monitoring user accounts
Prerequisite
Server should implement https protocol with Apache Httpd
The SSO integration implemented using the SAML protocol
Client should have relevant SSO IDP details and configure SSO in SSO provider portal.
We might also need SSO provider jks file to import it in our file.User system is in kerberos network, user can check this by running “kinit” command from command prompt / terminal
Suppose user have two server, one is Insights application server on which insights application will be configured and another is your client machine which uses this insights application through browser.
In insights server make sure that , SPN (Service Principal Name) and ktab file will be properly configure on
Command to set SPN : setspn -A HTTP/beta.kerberos.com beta
Command to extract ktab file: ktpass -out c:\temp\insights_rc4.keytab -princ HTTP/beta.kerberos.com@KERBEROS.COM -mapUser beta -mapOp set -pass pass@123 -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
Chrome Browser will be configure on client machine , If user do not know how to configure chrome browser for kerberos then check following section “Configure Browser”
Enable SSO
In server-config.json, change "autheticationProtocol":”SAML””Kerberos” and
In singleSignOnConfig section set following three properties
"relayStateUrl" : "http://<Host:poart>/app/#/ssologin"
"servicePrincipalKerberos":"SPN name of server"
"keyTabLocationKerberos":"D:\Project\Insights\InSights_Windows\Server2\INSIGHTS_HOME\.InSights\ insights_rc4.keytab"
Add application host name in insightsServiceURL in server-config.json
Add host information in trustedHosts in server-config.json
In uiConfig.json, change "autheticationProtocol":”SAML” ”Kerberos” and singleSignOnConfig section to "singleSignOnConfig": {
"loginURL": "/PlatformService/user/samlinsightsso/loginkerberosLogin",
"logoutURL": "/PlatformService/saml/logout"
},Open grafana default.ini file and enable following [auth.proxy] section, do not change other property
[auth.proxy]enabled = trueheader_name = X-WEBAUTH-USERheader_property = usernameauto_sign_up = trueldap_sync_ttl = 60whitelist =headers =
...
SetEnvIf Cookie "(^|;\ *)username=([^;\ ]+)" MyCookieValue=$2<If "%{env:MyCookieValue} != ''">RequestHeader set X-WEBAUTH-USER "%{MyCookieValue}e"</If>
55. Restart Apache httpd server and Grafana
6. Add your SAML or SSO provider detail in server.config.json under “singleSignOnConfig” section
...
Key
...
Description
...
entityId:
...
Identifier (Entity ID) for your SMAL configuration
...
appId:
...
copy app id from App Federation Metadata Url
...
metadataUrl:
...
App Federation Metadata Url
...
metdataFilePath :
...
Download SAML Signing Certificate from sso provider site and store it in INSIGHTS_HOME
...
keyStoreFilePath:
...
path of certificae like saml-keystore.jks, Download this certificate from your sso provider URL
...
keyAlias:
...
saml-keystore.jks username
...
keyPass:
...
saml-keystore.jks password
...
keyStorePass :
...
saml-keystore.jks password
...
appBaseUrl :
...
Application service Host URL, Example https://<HostOrDomainName>/PlatformService
...
relayStateUrl :
...
SSO login UI page URL, Example https://<HostOrDomainName>/app/#/ssologin
...
defaultTargetUrl :
...
Application user authenticate url, Example https://<HostOrDomainName>/user/authenticate
...
postLogoutURL :
...
SAML or SSO provider logout URL, Example value https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
...
tokenSigningKey:
...
This is use as secrete key to sign JWT token,It should be 128 character ,Example value:"insights_IDP_CogDevops_SSO_Token_string"
7. We need to download SAML Signing Certificate from sso provider site and import it in your application ssl certificate file using following command
keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias"
Where certificate.cer file received from sso provider and keystore.jks is Insights certificate file
8. Add application host name in insightsServiceURL in server-config.json
9. Add host information in trustedHosts in server-config.json
10. Restart Apache Tomcat and
11. Call URL https://<HostOrDomainName>//app
12 Login with your organization credential
, Grafana and Apache Tomcat.
6. Go to client machine, open browser and Call URL https://<HostOrDomainNameOfServerMachine>//app
7. Login with your organization credential
Configure Browser
Google Chrome in Windows will use the Internet Explorer settings.
Internet Explorer uses security zones for distinguishing which hosts are Internet, Local intranet, Trusted sites, or Restricted sites.
First, Go to Security zones in IE (Tools → Internet Options → Security) then click on the Sites button under Trusted sites. the browser must be configured trust the host by adding the insights server host name to the Trusted sites zone.
Secondly, within Internet Explorer, choose Tools → Internet Options → click the Security tab → click on Trusted sites →and click Custom level. Scroll all the way to bottom under User Authentication and under Logon,
select "Automatic logon with current user name and password".Third, In Local intranet section make sure your server is trusted by i.e. adding it into a list.
Disable SSO
Mark "autheticationProtocol":"NativeGrafana" in server-config.json
Mark "autheticationProtocol":"NativeGrafana" in uiConfig.json
Open grafana default.ini file and disable in [auth.proxy] section and make sure that [auth.basic] enabled
Remove following in Apache Httpd vhost file Apache24\conf\extra\httpd-vhosts.conf
...
5.Restart Apache httpd server and Grafana
6.Restart Apache Tomcat