Upgraded Graylog from 3.3 to 4.0 and SSO broken.
Getting below Error:
[HTTPHeaderAuthenticationRealm] Failed to authenticate usernamefrom trusted HTTP header via proxy
More Details:
Graylog 4.2
MongoDB 4.2
ElasticSearch: 6.8
Upgraded Graylog from 3.3 to 4.0 and SSO broken.
Getting below Error:
[HTTPHeaderAuthenticationRealm] Failed to authenticate usernamefrom trusted HTTP header via proxy
More Details:
Graylog 4.2
MongoDB 4.2
ElasticSearch: 6.8
Hello
Due to the aforementioned removal of the pluggable authentication realm Java APIs, the SSO Authentication Plugin doesn’t work with Graylog 4.0 anymore.
The core feature of the old SSO plugin (trusted HTTP header authentication) got integrated in the server.
The old SSO plugin must be removed from the plugin folder before starting a Graylog 4.0 server.
As of the newest release you can use these.
Hope that helps
I have already removed this plugin from the plugin folder and trying to configure this new inbuilt feature.
configured the HTTP header that should come from SAML 2.0 via apache webserver.
It seems Graylog is able to recognize the parameter but not able to authenticate users that were already created via old SSO plugin.
2022-02-23T05:36:44.907+01:00 WARN [HTTPHeaderAuthenticationRealm] Failed to authenticate username from trusted HTTP header via proxy
is it something that this new SSO Model only works with Graylog Enterprise version?
Yes this is true, for better clarity look here
EDIT:
Only the Trusted Header will work for Open source, but if you keep under 2Gb a day the Enterprise license is free.
I forgot to add, if you enable the Trusted header don’t forget to add trusted_proxies setting in Graylog Config.
I have added my webserver in proxies already.
deleted the user which were created via old SSO Plugin but new HTTP header feature is not able to create user on the fly and stuck in login screen.
however if i create the user manually it does work.
it is so much pain to create more than 200 users manually it order to make it work and adding users as well.
Graylog is now forcing to use enterprise version.
I would say SSO is broken in Graylog 4.0 and HTTP header is not same as SSO plugin.
Agree,
That is a true statement.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.