Introduction
Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. The service authenticates the end user for all the applications the user has rights to and eliminates further prompts when the user switches applications during the same session. On the back end, SSO is helpful for logging user activities as well as monitoring user accounts
Prerequisite
Server should implement https protocol with Apache Httpd
The SSO integration implemented using the SAML protocol
Client should have relevant SSO IDP details and configure SSO in SSO provider portal.
We might also need SSO provider jks file to import it in our file.
Enable SSO
In server-config.json, change "autheticationProtocol":”SAML”
In uiConfig.json, change "autheticationProtocol":”SAML” and singleSignOnConfig section to "singleSignOnConfig": {
"loginURL": "/PlatformService/saml/login",
"logoutURL": "/PlatformService/saml/logout"
},Open grafana default.ini file and enable following [auth.proxy] section, do not change other property
[auth.proxy]enabled = trueheader_name = X-WEBAUTH-USERheader_property = usernameauto_sign_up = trueldap_sync_ttl = 60whitelist =headers =
4. Add following in Apache Httpd vhost file Apache24\conf\extra\httpd-vhosts.conf
SetEnvIf Cookie "(^|;\ *)username=([^;\ ]+)" MyCookieValue=$2<If "%{env:MyCookieValue} != ''">RequestHeader set X-WEBAUTH-USER "%{MyCookieValue}e"</If>
5. Restart Apache httpd server and Grafana
6. Add your SAML or SSO provider detail in server.config.json under “singleSignOnConfig” section
| 1 | Key | Description |
| 2 | entityId: | Identifier (Entity ID) for your SMAL configuration |
| 3 | appId: | copy app id from App Federation Metadata Url |
| 4 | metadataUrl: | App Federation Metadata Url |
| 5 | metdataFilePath : | Download SAML Signing Certificate from sso provider site and store it in INSIGHTS_HOME |
| 6 | keyStoreFilePath: | path of certificae like saml-keystore.jks, Download this certificate from your sso provider URL |
| 7 | keyAlias: | saml-keystore.jks username |
| 8 | keyPass: | saml-keystore.jks password |
| 9 | keyStorePass : | saml-keystore.jks password |
| 10 | appBaseUrl : | Application service Host URL, Example https://<HostOrDomainName>/PlatformService |
| 11 | relayStateUrl : | SSO login UI page URL, Example https://<HostOrDomainName>/app/#/ssologin |
| 12 | defaultTargetUrl : | Application user authenticate url, Example https://<HostOrDomainName>/user/authenticate |
| 13 | postLogoutURL : | SAML or SSO provider logout URL, Example value https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 |
| 14 | tokenSigningKey: | This is use as secrete key to sign JWT token,It should be 128 character ,Example value:"insights_IDP_CogDevops_SSO_Token_string" |
7. We need to download SAML Signing Certificate from sso provider site and import it in your application ssl certificate file using following command
keytool -importcert -file certificate.cer -keystore keystore.jks -alias "Alias"
Where certificate.cer file received from sso provider and keystore.jks is Insights certificate file
8. Add application host name in insightsServiceURL in server-config.json
9. Add host information in trustedHosts in server-config.json
10. Restart Apache Tomcat and
11. Call URL https://<HostOrDomainName>//app
12 Login with your organization credential
Disable SSO
Mark "autheticationProtocol":"NativeGrafana" in server-config.json
Mark "autheticationProtocol":"NativeGrafana" in uiConfig.json
Open grafana default.ini file and disable in [auth.proxy] section and make sure that [auth.basic] enabled
Remove following in Apache Httpd vhost file Apache24\conf\extra\httpd-vhosts.conf
SetEnvIf Cookie "(^|;\ *)username=([^;\ ]+)" MyCookieValue=$2<If "%{env:MyCookieValue} != ''">RequestHeader set X-WEBAUTH-USER "%{MyCookieValue}e"</If>
5.Restart Apache httpd server and Grafana
6.Restart Apache Tomcat