Kerberos SSO Configuration

Introduction

Single sign-on (SSO) is a session and user authentication service that permits a user to use kerberos to access Insights applications. The service authenticates the end user for insights and grafana the applications. On the back end, SSO is helpful for logging user activities as well as monitoring user accounts.

There are various different flavors of kerberos protocol implementation, for ex MIT, IBM etc. We have tested Insights kerberos integration using MIT.

Prerequisite

• Kerberos setup already in place , Kerberos setup is out of scope of this document

• SPN (Service Principal Name) and keyTab file properly configured for Insights product,

Enable SSO

Insights server kerberos setup

1. In server-config.json,

   1. change "autheticationProtocol":”Kerberos”

   2. In singleSignOnConfig section set following three properties

      • "relayStateUrl" : "http://<Host:poart>/app/#/ssologin"

      • "servicePrincipalKerberos":"SPN name of server"

      • "keyTabLocationKerberos":"D:\Project\Insights\InSights_Windows\Server2\INSIGHTS_HOME\.InSights\ insights_rc4.keytab"

   3. Add application host name in insightsServiceURL in server-config.json

   4. Add host information in  trustedHosts in server-config.json
      
      

2. In uiConfig.json,

   1. change "autheticationProtocol":”Kerberos”

3. Open grafana default.ini file and enable following [auth.proxy] section, do not change other property[auth.proxy]
enabled = true
header_name = X-WEBAUTH-USER
header_property = username
auto_sign_up = true
ldap_sync_ttl = 60
whitelist =
headers =

 4. Add following in Apache Httpd vhost file Apache24\conf\extra\httpd-vhosts.conf

5. Restart Apache httpd server, Grafana and Apache Tomcat.

Configure Browser

Google Chrome in Windows will use the Internet Explorer settings.

Internet Explorer uses security zones for distinguishing which hosts are Internet, Local intranet, Trusted sites, or Restricted sites.

1. First, Go to Security zones in IE (Tools → Internet Options → Security) then click on the Sites button under Trusted sites. the browser must be configured trust the host by adding the insights server host name to the Trusted sites zone.

2. Secondly, within Internet Explorer, choose Tools → Internet Options → click the Security tab → click on Trusted sites →and click Custom level. Scroll all the way to bottom under User Authentication and under Logon,
   select "Automatic logon with current user name and password".

3. Third, In Local intranet section make sure your server is trusted by i.e. adding it into a list.

4. Go to client machine, open browser and Call URL https://<HostOrDomainNameOfServerMachine>/app

5. Login with your organization credential if required

Disable SSO

1. Mark "autheticationProtocol":"NativeGrafana" in server-config.json

2. Mark "autheticationProtocol":"NativeGrafana" in uiConfig.json

3. Open grafana default.ini file and disable in [auth.proxy] section and make sure that [auth.basic] enabled 

4. Remove following in Apache Httpd vhost file Apache24\conf\extra\httpd-vhosts.conf

5.Restart Apache httpd server and Grafana

6.Restart Apache Tomcat

References

1. https://www.baeldung.com/spring-security-kerberos

2. https://www.oracle.com/technical-resources/articles/middleware/idm-weblogic-sso-kerberos.html

3. https://support.pingidentity.com/s/article/How-browsers-construct-Kerberos-requests-service-principal-names

4. https://support.pingidentity.com/s/article/How-to-configure-supported-browsers-for-Kerberos-NTLM#ie

5. https://docs.spring.io/spring-security-kerberos/docs/current/reference/html/browserspnegoconfig.html#chrome