SSO Configuration using shared JWT token

Owned by Pooja Gupta (Unlicensed)
Last updated: Jun 28, 2021 by Gaurav (Unlicensed)
2 min read

Introduction

Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. The service authenticates the end user for all the applications the user has rights to and eliminates further prompts when the user switches applications during the same session.

Insights does not create new JWT token but relies on shared token by client system., Insights application will consume this JWT token to authenticate and authorize user.

Prerequisite

  • JWT authentication support only through iframe

  • JWT signing key must 256 character as per latest JWT specification.

Enable SSO

  1. In server-config.json,

    1. change "autheticationProtocol":”JWT”

    2. In singleSignOnConfig section set following three properties

    3. Add application host name in insightsServiceURL in server-config.json

    4. Add host information in  trustedHosts in server-config.json

  2. In uiConfig.json,

    1. change "autheticationProtocol":”JWT”

    2. update parent server URL in "jwtTokenOriginServerURL":"http://localhost:8282",

  3. Open grafana default.ini file and enable following [auth.proxy] section, do not change other property[auth.proxy]
    enabled = true
    header_name = X-WEBAUTH-USER
    header_property = username
    auto_sign_up = true
    ldap_sync_ttl = 60
    whitelist =
    headers =

4. Add following in Apache Httpd vhost file Apache24\conf\extra\httpd-vhosts.conf

SetEnvIf Cookie "(^|;\ *)username=([^;\ ]+)" MyCookieValue=$2
<If "%{env:MyCookieValue} != ''">
RequestHeader set X-WEBAUTH-USER "%{MyCookieValue}e"
</If>

5. Restart Apache httpd server, Grafana and Apache Tomcat.

6. Open user application and open insights application as iframe.

Disable SSO

  1. Mark "autheticationProtocol":"NativeGrafana" in server-config.json

  2. Mark "autheticationProtocol":"NativeGrafana" in uiConfig.json

  3. Open grafana default.ini file and disable in [auth.proxy] section and make sure that [auth.basic] enabled 

  4. Remove following in Apache Httpd vhost file Apache24\conf\extra\httpd-vhosts.conf

SetEnvIf Cookie "(^|;\ *)username=([^;\ ]+)" MyCookieValue=$2
<If "%{env:MyCookieValue} != ''">
RequestHeader set X-WEBAUTH-USER "%{MyCookieValue}e"
</If>

5.Restart Apache httpd server and Grafana

6.Restart Apache Tomcat

©2021 Cognizant, all rights reserved. US Patent 10,410,152