Introduction
Single sign-on (SSO) is a session and user authentication service that permits a user to use kerberos to access Insights applications. The service authenticates the end user for insights and grafana the applications. On the back end, SSO is helpful for logging user activities as well as monitoring user accounts
Prerequisite
User system is in kerberos network, user can check this by running “kinit” command from command prompt / terminal
Suppose user have two server, one is Insights application server on which insights application will be configured and another is your client machine which uses this insights application through browser.
In insights server make sure that , SPN (Service Principal Name) and ktab file will be properly configure on
Command to set SPN : setspn -A HTTP/beta.kerberos.com beta
Command to extract ktab file: ktpass -out c:\temp\insights_rc4.keytab -princ HTTP/beta.kerberos.com@KERBEROS.COM -mapUser beta -mapOp set -pass pass@123 -crypto RC4-HMAC-NT -pType KRB5_NT_PRINCIPAL
Chrome Browser will be configure on client machine , If user do not know how to configure chrome browser for kerberos then check following section “Configure Browser”
Enable SSO
In server-config.json, change "autheticationProtocol":”Kerberos” and
In singleSignOnConfig section set following three properties
"relayStateUrl" : "http://<Host:poart>/app/#/ssologin"
"servicePrincipalKerberos":"SPN name of server"
"keyTabLocationKerberos":"D:\Project\Insights\InSights_Windows\Server2\INSIGHTS_HOME\.InSights\ insights_rc4.keytab"
Add application host name in insightsServiceURL in server-config.json
Add host information in trustedHosts in server-config.json
In uiConfig.json, change "autheticationProtocol":”Kerberos” and singleSignOnConfig section to "singleSignOnConfig": {
"loginURL": "/PlatformService/user/insightsso/kerberosLogin",
"logoutURL": ""
},Open grafana default.ini file and enable following [auth.proxy] section, do not change other property
[auth.proxy]enabled = trueheader_name = X-WEBAUTH-USERheader_property = usernameauto_sign_up = trueldap_sync_ttl = 60whitelist =headers =
4. Add following in Apache Httpd vhost file Apache24\conf\extra\httpd-vhosts.conf
SetEnvIf Cookie "(^|;\ *)username=([^;\ ]+)" MyCookieValue=$2<If "%{env:MyCookieValue} != ''">RequestHeader set X-WEBAUTH-USER "%{MyCookieValue}e"</If>
5. Restart Apache httpd server, Grafana and Apache Tomcat.
6. Go to client machine, open browser and Call URL https://<HostOrDomainNameOfServerMachine>//app
7. Login with your organization credential
Configure Browser
Google Chrome in Windows will use the Internet Explorer settings.
Internet Explorer uses security zones for distinguishing which hosts are Internet, Local intranet, Trusted sites, or Restricted sites.
First, Go to Security zones in IE (Tools → Internet Options → Security) then click on the Sites button under Trusted sites. the browser must be configured trust the host by adding the insights server host name to the Trusted sites zone.
Secondly, within Internet Explorer, choose Tools → Internet Options → click the Security tab → click on Trusted sites →and click Custom level. Scroll all the way to bottom under User Authentication and under Logon,
select "Automatic logon with current user name and password".Third, In Local intranet section make sure your server is trusted by i.e. adding it into a list.
Disable SSO
Mark "autheticationProtocol":"NativeGrafana" in server-config.json
Mark "autheticationProtocol":"NativeGrafana" in uiConfig.json
Open grafana default.ini file and disable in [auth.proxy] section and make sure that [auth.basic] enabled
Remove following in Apache Httpd vhost file Apache24\conf\extra\httpd-vhosts.conf
SetEnvIf Cookie "(^|;\ *)username=([^;\ ]+)" MyCookieValue=$2<If "%{env:MyCookieValue} != ''">RequestHeader set X-WEBAUTH-USER "%{MyCookieValue}e"</If>
5.Restart Apache httpd server and Grafana
6.Restart Apache Tomcat