Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

SAML SSO Integration with Insights – Microsoft Azure AD

Introduction

Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. The service authenticates the end user for all the applications the user has rights to and eliminates further prompts when the user switches applications during the same session. On the back end, SSO is helpful for logging user activities as well as monitoring user accounts.

Prerequisite

  • Server should implement https protocol with Apache Httpd.

  • The SSO integration implemented using the SAML protocol.

  • Client should have relevant SSO IDP details and configure SSO in SSO provider portal.

  • We might also need SSO provider jks file to import it in our file and a Private Key.

Set up Microsoft Azure Portal

Refer the below link to setup Microsoft Azure Portal for SAML authentication:

 https://dummybot.medium.com/saml-integration-with-spring-boot-spring-security-microsoft-azure-ad-b9610bdb78b9

Steps to create JKS file and self-signed certificate.

Code Block
keytool -genkey -keyalg RSA -alias <YOUR_DOMAIN>.com -keystore "insights_app_sso_28Apr.jks" -storepass <PASSWORD> -ext san=dns:<YOUR_DOMAIN>.com -validity 1000 -keysize 2048

-storetype JKS

 

keytool -list -v -keystore "insights_app_sso_28Apr.jks"

 

keytool -certreq -alias <YOUR_DOMAIN>.com -keystore insights_app_sso_28Apr.jks -storepass <PASSWORD> -file CertCA.crt

Steps to Import SAML provider certs to JKS keystore.

Code Block
keytool -importcert -file Insights_SAML_SSO.cer -keystore insights_app_sso_28Apr.jks -alias insights_app_sso_28Apr_imported

keytool -importkeystore -srckeystore insights_app_sso_28Apr.jks -destkeystore insights_app_sso_28Apr.p12 -deststoretype PKCS12

 

openssl pkcs12 -in insights_app_sso_28Apr.p12 -nokeys -out insights_app_sso_28Apr.crt

openssl pkcs12 -in insights_app_sso_28Apr.p12 -nocerts -nodes -out insights_app_sso_28Apr.key

Enable SSO

  1. In server-config.json, change "autheticationProtocol":

...

  1. “SAML”.

  2. In uiConfig.json, change "autheticationProtocol":

...

  1. “SAML”.

  2. Open

...

  1. Grafana defaults.ini file and enable following [auth.proxy] section, do not change other property

    Code Block
    [auth.proxy]

...

  1. 
    enabled = true

...

  1. 
    header_name = X-WEBAUTH-USER

...

  1. 
    header_property = username

...

  1. 
    auto_sign_up = true

...

  1. 
    sync_ttl = 60

...

  1. 
    whitelist =
    headers =

...

  1. 
    headers_encoded = true
    enable_login_token = false
  2. Add following in Apache Httpd vhost file Apache24\conf\extra\httpd-vhosts.conf.

    Code Block
    SetEnvIf Cookie "(^|;\ *)username=([^;\ ]+)" MyCookieValue=$2

...

  1. 
    <If "%{env:MyCookieValue} != ''">

...

  1. 
    	  RequestHeader set X-WEBAUTH-USER "%{MyCookieValue}e"

...

  1. 
    </If>

...

  1. Restart Apache httpd server and Grafana.

...

  1. Add your SAML or SSO provider detail in server.config.json under “singleSignOnConfig” section

...

  1. .

  2. We can configure either metadataUrl or the metadataFilePath.

  3. Add application host name in insightsServiceURL in server-config.json.

  4. Add host information in  trustedHosts in server-config.json.

  5. Restart PlatformService and UI.

  6. Call URL https://<HostOrDomainName>/insights.

  7.   Login with your organization credential.

Sample Configuration:

...

Definitions:

Key

Description

2
1

entityId

:

Identifier (Entity ID) for your SMAL configuration

3
2

appId

:

copy app id from App Federation Metadata Url

4
3

metadataUrl

:

App Federation Metadata Url

5
4

metdataFilePath

:

Download SAML Signing Certificate from sso provider site and store it in INSIGHTS_HOME

6
5

keyStoreFilePath

:

path of certificae like saml-keystore.jks, Download this certificate from your sso provider

URL 

URL

7
6
keyAlias:

keyAlia

saml-keystore.jks username

8
7

keyPass

:

saml-keystore.jks password

9
8

keyStorePass

:

saml-keystore.jks password

10
9

appBaseUrl

:

Application service Host URL, Example https://<HostOrDomainName>/PlatformService

11
10

relayStateUrl

:

SSO login UI page URL, Example https://<HostOrDomainName>/app/#/ssologin

12
11

defaultTargetUrl

:

Application user authenticate url, Example https://<HostOrDomainName>/user/authenticate

13
12

postLogoutURL :

SAML or SSO provider logout URL, Example value: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

14
13

tokenSigningKey:

This is use as secrete key to sign JWT token,It should be 128 character ,Example value:"insights_IDP_CogDevops_SSO_Token_string"

7. We need to download SAML Signing Certificate from sso provider site and import it in your application ssl   certificate file using following command

keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias"

Where certificate.cer file received from sso provider and keystore.jks is Insights certificate file

8. Add application host name in insightsServiceURL in server-config.json

9. Add host information in  trustedHosts in server-config.json

10. Restart Apache Tomcat and

11. Call URL https://<HostOrDomainName>//app

...

14

registrationId

A unique identifer for this configuration mapping. This identifier may be used in URI paths, so care should be taken that no URI encoding is required.

15

singleSignOnServiceLocation

The singleSignOnService location.

16

privatekeyLocation

path of the generated Private key.

Disable SSO

  1. Mark "autheticationProtocol":"NativeGrafana" in server-config.json

  2. Mark "autheticationProtocol":"NativeGrafana" in uiConfig.json

  3. Open grafana defaults.ini file and disable in [auth.proxy] section and make sure that [auth.basic] enabled 

  4. Remove following in Apache Httpd vhost file Apache24\conf\extra\httpd-vhosts.conf.

    Code Block
    SetEnvIf Cookie "(^|;\ *)username=([^;\ ]+)" MyCookieValue=$2

...

  1. 
    <If "%{env:MyCookieValue} != ''">

...

  1. 
          RequestHeader set X-WEBAUTH-USER "%{MyCookieValue}e"

...

  1. 
    </If>

...

  1. Restart Apache httpd server and Grafana

...

  1. Restart PlatformService and UI.