problem SSO with graylog and mozilla firefox

[kfdl]

Problem description

hello
I have a problem when i try to have a SSO between nginx 1.10.3 and graylog 2.5.0
this is my configuration for nginx: /etc/nginx/sites-available/reverseProxy

location / {
auth_basic “Restricted Access”;
auth_basic_user_file “/etc/nginx/.htpasswd”;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
}

    location /graylog {
            auth_basic "Restricted Access";

            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header Remote-User $remote_user;
            #proxy_set_header X-Forwarded-User $remote_user;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Graylog-Server-URL http://1.0.0.10/graylog/api;
            proxy_set_header X-Requested-By $remote_addr;

            proxy_pass       http://1.15.15.15:9001/graylog;
            
    }

and my configuration for grafana : /etc/graylog/server/server.conf
rest_listen_uri = http://1.15.15.15:9001/graylog/api
web_listen_uri = http://1.15.15.15:9001/graylog

the problem is, when i log on with internet explorer the SSO work perfectly, but when i try to log on with mozilla firefox or chrome, I am authenticated with the user “undefined” and i don’t know why ??

please help me…

thank very much for your help

Steps to reproduce the problem

install nginx 1.10.3, graylog 2.5.0, elasticsearch: 6.5.3, MongoDB Version 4.0.4 on a debian 9.6 host, please put the configuration below for nginx and graylog. :
for elasticsearch please change the node name in /etc/elasticsearch/elasticsearch.yml to graylog-node1 and cluster.name to: graylog.

Download the sso plugin for graylog 2.5.0 and place the .jar file in /usr/share/elasticsearch/plugins/
enabe and start all this service ( systemctl enable [services] and systemctl start [services])
for the configuration of graylog in the file /etc/graylog/server/server.conf please follow this intructions:

// You MUST specify a hash password for the root user (which you only need to initially set up the
//system and in case you lose connectivity to your authentication backend)
// This password cannot be changed using the API or via the web interface. If you need to change it,
//modify it in this file.
// Create one by using for example: echo -n yourpassword | shasum -a 256
// and put the resulting hash value into the following line
root_password_sha2 =

and

// You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
//Generate one by using for example: pwgen -N 1 -s 96
password_secret =

then create in the folder /etc/nginx the file .htpasswd with the command
htpasswd -db /etc/nginx/.htpasswd [user] [password]
(create two account, the first for admin and the second for you)

use mozilla 64.4.0.2 and put the URL 1.0.0.10, log on the web server.
after the log in put on mozilla the url 1.0.0.10/graylog and log on with the admin account and the password you choose.

then system > authentification > SSO :
username header --> Remote-User
don't select "request must come from a trusted proxy"
don't select "automatically create"
don't select "Synchronize the roles of the user from the specified HTTP header"
then save the configuration.

then system > authentification > configure provider order:
edit put the list like this:

1. SSO
2. admin user
3. Sessions
4. passwords
5. LDAP
   6 API tokens
   and save

clear the cache and the history et and quit mozilla.
restart graylog, nginx , elasticsearch...

the open mozilla again, log on a the reverse proxy and go to /graylog. and you will see the error with the SSO, username "undefined".
But if you do the same with IE it work.
I don't understand the problem, I think I try everything (capture of the paquet between nginx and graylog for the to browser, change the configuration...)

pleaseeeeeeeee help me.
thank you for your time

Environment

• Graylog Version: 2.5.0
• Plugin Version: 2.5.0
• Nginx: 1.10.3
• Elasticsearch: 6.5.3
• MongoDB Version: 4.0.4
• Operating System: debian 9.6
• Browser version: mozilla 64.4.0.2

[yellowcong]

i have the same problem

[yellowcong]

i have solve this question

[yellowcong]

but have a new problem ,i can't logout 日了狗了

[kfdl]

i have solve this question

oh, good very good, and how did you solve the problem, because i don't know.
Can you give me some tips pleaaaase

thank you very much for your help

[yellowcong]

@kfdl 实现效果

[yellowcong]

@kfdl you have to make sure you proxy is right ,you may be X-Graylog-Server-URL not right.

[kfdl]

hello,
thank you for your answer
my nginx configuration is:
proxy_set_header X-Graylog-Server-URL http://1.0.0.10/graylog/api;
proxy_set_header X-Requested-By $remote_addr;
proxy_pass http://1.15.15.15:9001/graylog;

and my graylog configuration is:
rest_listen_uri = http://1.15.15.15:9001/graylog/api
web_listen_uri = http://1.15.15.15:9001/graylog

maybe something is wrong with configuration, but i can access to graylog with the configuration below, and the SSO work on IE. so i'm really confuse...

what is apereo?
I can use it instead of nginx for authentification?

[kfdl]

hello,
i finally found something (i think so) in the graylog debug authentification log

"DEBUG [ModularRealmAuthenticator] Realm [org.graylog.plugins.auth.sso.SsoAuthRealm@534ef0b4] does not support token org.apache.shiro.authc.UsernamePasswordToken - XXXXX, rememberMe=false (192.168.30.126). Skipping realm."

if somebody have a ideas about this log...

thank you :)

[kfdl]

hello,
I have this log too but i don't know how to deal with it :
Realm [org.graylog.plugins.auth.sso.SsoAuthRealm@1b6f8352] does not support token SessionIdToken{sessionId=edb32a28-d7b7-406b-a9dc-5132ae3adf14, host=XXXXXX}. Skipping realm.

thank you :)

[happyyangyuan]

@kfdl 实现效果

大佬，您可以把你的配置详细粘贴一下嘛，顺便把你的cas的实现流程简单讲讲？

[teamrussia]

Hi Guys..

Can you help me?

I don't know configure my nginx to use the sso plugin.

There is my config:

`
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL https://$host;
proxy_set_header Remote-User $remote_user;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Requested-By $remote_addr;
proxy_pass http://graylog/;
}

       location /api/ {
            proxy_pass      http://graylog/api/;
            proxy_set_header X-Graylog-Server-URL https://graylog/api/;
            proxy_set_header   Host   $http_host;
            proxy_set_header Remote-User $remote_user;
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header   X-Real-IP  $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Requested-By $remote_addr;
       }

`