Graylog + PingFederate (SSO)


Can you describe in details how to set Single Sign-On up for Graylog?

Graylog servers are running behind NGINX. Here is part of nginx.conf:
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header Remote-User $remote_user;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Graylog-Server-URL https://$server_name/;

Graylog is running on v4.0.1.
Trusted Header Authentication is enabled (Username header → Remote-User).
What else needs to be done to make Graylog working with PingFederate ?

Hi @aazherelyeu.

Do you see some errors somewhere? Can you paste it here?

Hi @reimlima

There are no errors either in Graylog or NGINX. When I load a start page, I can log in with AD credentials or local user. How does HTTP Trusted Header actually work in this case and how to debug it ?

Not pretty sure about that, but making a quick search I found that “Single Sign-On” plugin was considered deprecated in version 4.

Also, apparently SSO has some issues to create users in Graylog, that’s why (among other things) it won’t work with version 4: Graylog 4 "trusted HTTP header" authenticator does not create new users · Issue #9714 · Graylog2/graylog2-server · GitHub

I am using Graylog v4. In my case I think something else needs to be configured, e.g., kerberos ?

Kerberos can be an option once Graylog is compatible with trusted HTTP header.

Unfortunally I can’t help you any further, once I never have used Kerberos.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.