SAML SSO Integration with Insights – Microsoft Azure AD
Introduction
Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. The service authenticates the end user for all the applications the user has rights to and eliminates further prompts when the user switches applications during the same session. On the back end, SSO is helpful for logging user activities as well as monitoring user accounts.
Prerequisite
Server should implement https protocol with Apache Httpd.
The SSO integration implemented using the SAML protocol.
Client should have relevant SSO IDP details and configure SSO in SSO provider portal.
We need SSO provider jks file to import it in our file and a Private Key.
Set up Microsoft Azure Portal
Create Saml Enteriprise Account
Refer the below link to setup Microsoft AD using Azure Portal for SAML authentication:
Steps to create JKS file and self-signed certificate.
keytool -genkey -keyalg RSA -alias <YOUR_DOMAIN>.com -keystore "insights_app_sso.jks" -storepass <PASSWORD> -ext san=dns:<YOUR_DOMAIN>.com -validity 1000 -keysize 2048 -storetype JKS keytool -list -v -keystore "insights_app_sso.jks" keytool -certreq -alias <YOUR_DOMAIN>.com -keystore insights_app_sso.jks -storepass <PASSWORD> -file CertCA.crt
Steps to Import SAML provider (Azure AD ) certs to JKS keystore. Insights_SAML_SSO.cer is provider cert and download from Azure AD portal
keytool -importcert -file Insights_SAML_SSO.cer -keystore insights_app_sso.jks -alias insights_app_sso_28Apr_imported keytool -importkeystore -srckeystore insights_app_sso.jks -destkeystore insights_app_sso.p12 -deststoretype PKCS12 openssl pkcs12 -in insights_app_sso.p12 -nokeys -out insights_app_sso.crt openssl pkcs12 -in insights_app_sso.p12 -nocerts -nodes -out insights_app_sso.key openssl pkcs8 -topk8 -in insights_app_sso.key -out insights_private.key -nocrypt #insights_private.key will be the private key used for SSO configuration
Enable SSO
In server-config.json, change "autheticationProtocol": “SAML”.
In uiConfig.json, change "autheticationProtocol": “SAML”.
In the configDesc.json update “SAML” property with the following value:
"SAML": { "loginURL": "/PlatformService/saml2/authenticate/insights_saml2_sso", "logoutURL": "/PlatformService/saml/logout" },Open Grafana defaults.ini file and enable following [auth.proxy] section, do not change other property
[auth.proxy] enabled = true header_name = X-WEBAUTH-USER header_property = username auto_sign_up = true sync_ttl = 60 whitelist = headers = headers_encoded = true enable_login_token = false
Add following in Apache Httpd vhost file Apache24\conf\extra\httpd-vhosts.conf.
SetEnvIf Cookie "(^|;\ *)username=([^;\ ]+)" MyCookieValue=$2 <If "%{env:MyCookieValue} != ''"> RequestHeader set X-WEBAUTH-USER "%{MyCookieValue}e" </If>Restart Apache httpd server and Grafana.
Add your SAML or SSO provider detail in server.config.json under “singleSignOnConfig” section.
We can configure either metadataUrl or the metadataFilePath.
Add “insights_saml2_sso” as value for the “registrationId” property.
Add application host name in insightsServiceURL in server-config.json.
Add host information in trustedHosts in server-config.json.
Restart PlatformService and UI.
Call URL https://<HostOrDomainName>/insights.
Login with your organization credential.
Sample Configuration:
Definitions:
Key | Description | |
|---|---|---|
| 1 | entityId | Identifier (Entity ID) for your SMAL configuration |
| 2 | appId | copy app id from App Federation Metadata Url |
| 3 | metadataUrl | App Federation Metadata Url |
| 4 | metdataFilePath | Download SAML Signing Certificate from sso provider site and store it in INSIGHTS_HOME |
| 5 | keyStoreFilePath | path of certificae like saml-keystore.jks, Download this certificate from your sso provider URL |
| 6 | keyAlia | saml-keystore.jks username |
| 7 | keyPass | saml-keystore.jks password |
| 8 | keyStorePass | saml-keystore.jks password |
| 9 | appBaseUrl | Application service Host URL, Example https://<HostOrDomainName>/PlatformService |
| 10 | relayStateUrl | SSO login UI page URL, Example https://<HostOrDomainName>/app/#/ssologin |
| 11 | defaultTargetUrl | Application user authenticate url, Example https://<HostOrDomainName>/user/authenticate |
| 12 | postLogoutURL : | SAML or SSO provider logout URL, Example value: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0 |
| 13 | tokenSigningKey: | This is use as secrete key to sign JWT token,It should be 128 character ,Example value:"insights_IDP_CogDevops_SSO_Token_string" |
| 14 | registrationId | A unique identifer for this configuration mapping. This identifier may be used in URI paths, so care should be taken that no URI encoding is required. |
| 15 | singleSignOnServiceLocation | The singleSignOnService location. |
| 16 | privatekeyLocation | path of the generated Private key. |
Disable SSO
Mark "autheticationProtocol":"NativeGrafana" in server-config.json
Mark "autheticationProtocol":"NativeGrafana" in uiConfig.json
Open grafana defaults.ini file and disable in [auth.proxy] section and make sure that [auth.basic] enabled
Remove following in Apache Httpd vhost file Apache24\conf\extra\httpd-vhosts.conf.
SetEnvIf Cookie "(^|;\ *)username=([^;\ ]+)" MyCookieValue=$2 <If "%{env:MyCookieValue} != ''"> RequestHeader set X-WEBAUTH-USER "%{MyCookieValue}e" </If>Restart Apache httpd server and Grafana
Restart PlatformService and UI.