Failed to authenticate usernamefrom trusted HTTP header via proxy

marif · February 21, 2022, 2:27pm

Upgraded Graylog from 3.3 to 4.0 and SSO broken.

Getting below Error:

[HTTPHeaderAuthenticationRealm] Failed to authenticate usernamefrom trusted HTTP header via proxy

More Details:

Graylog 4.2
MongoDB 4.2
ElasticSearch: 6.8

gsmith · February 22, 2022, 12:34am

Hello

Due to the aforementioned removal of the pluggable authentication realm Java APIs, the SSO Authentication Plugin doesn’t work with Graylog 4.0 anymore.

The core feature of the old SSO plugin (trusted HTTP header authentication) got integrated in the server.

The old SSO plugin must be removed from the plugin folder before starting a Graylog 4.0 server.

Upgrading to Graylog 4.0.x

As of the newest release you can use these.

https://docs.graylog.org/docs/openid-connect

Hope that helps

marif · February 23, 2022, 5:03am

I have already removed this plugin from the plugin folder and trying to configure this new inbuilt feature.
configured the HTTP header that should come from SAML 2.0 via apache webserver.
It seems Graylog is able to recognize the parameter but not able to authenticate users that were already created via old SSO plugin.

2022-02-23T05:36:44.907+01:00 WARN [HTTPHeaderAuthenticationRealm] Failed to authenticate username from trusted HTTP header via proxy

is it something that this new SSO Model only works with Graylog Enterprise version?

gsmith · February 23, 2022, 5:09am

Yes this is true, for better clarity look here

EDIT:

Only the Trusted Header will work for Open source, but if you keep under 2Gb a day the Enterprise license is free.

gsmith · February 23, 2022, 5:27am

I forgot to add, if you enable the Trusted header don’t forget to add trusted_proxies setting in Graylog Config.

marif · February 23, 2022, 7:28am

I have added my webserver in proxies already.
deleted the user which were created via old SSO Plugin but new HTTP header feature is not able to create user on the fly and stuck in login screen.
however if i create the user manually it does work.

it is so much pain to create more than 200 users manually it order to make it work and adding users as well.
Graylog is now forcing to use enterprise version.

I would say SSO is broken in Graylog 4.0 and HTTP header is not same as SSO plugin.

gsmith · February 23, 2022, 10:19pm

Agree,

That is a true statement.

system · March 9, 2022, 10:19pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Struggling to get SSO work with Graylog 4 Graylog Central (peer support)	11	3731	June 25, 2021
Trusted header authentication broken after Upgrade to 5 Graylog Central (peer support)	3	211	December 11, 2023
SSO with Trusted Header Authentication not working Graylog Central (peer support)	3	1250	November 23, 2022
Graylog4 ssp auth plugin Graylog Central (peer support)	4	361	March 26, 2021
Apache SSO Configuration does not work Graylog Add-ons	4	2262	March 30, 2018

Failed to authenticate usernamefrom trusted HTTP header via proxy

Related Topics