SSO with Trusted Header Authentication not working

I am trying to set up Single Sign-On with an apache reverse proxy. The proxy sets REMOTE_USER header and I enabled Trusted Header Authentication in the Graylog Webinterface in the System Authentication settings. Unfortunately it doesn’t work. the first call to /graylog/api/ will be rejected by my apache with a 401. And I get stuck on the login screen saying “Loading, please wait…”

Apache access.log: - my_user [08/Nov/2022:17:38:33 +0000] "GET /graylog HTTP/1.1" 200 440 - my_user [08/Nov/2022:17:38:33 +0000] "GET /graylog/config.js HTTP/1.1" 200 177 - my_user [08/Nov/2022:17:38:33 +0000] "GET /graylog/assets/polyfill.472622149827c1587209.js HTTP/1.1" 200 72152 - my_user [08/Nov/2022:17:38:33 +0000] "GET /graylog/assets/vendor.7b2e72342f604d7babb9.js HTTP/1.1" 200 356045 - my_user [08/Nov/2022:17:38:33 +0000] "GET /graylog/assets/builtins.472622149827c1587209.js HTTP/1.1" 200 280639 - my_user [08/Nov/2022:17:38:33 +0000] "GET /graylog/assets/app.472622149827c1587209.js HTTP/1.1" 200 1371253 - my_user [08/Nov/2022:17:38:33 +0000] "GET /graylog/assets/plugin/org.graylog.plugins.threatintel.ThreatIntelPlugin/ HTTP/1.1" 200 916732 - my_user [08/Nov/2022:17:38:33 +0000] "GET /graylog/assets/plugin/ HTTP/1.1" 200 889513 - my_user [08/Nov/2022:17:38:33 +0000] "GET /graylog/assets/plugin/org.graylog.plugins.collector.CollectorPlugin/ HTTP/1.1" 200 932169 - undefined [08/Nov/2022:17:38:34 +0000] "GET /graylog/api/system/sessions HTTP/1.1" 401 381 - my_user [08/Nov/2022:17:38:35 +0000] "GET /graylog/api/ HTTP/1.1" 200 233

My apache config:

<Location /graylog>
    ProxyPass "https://some_other_machine/graylog/"
    ProxyPassReverse "https://some_other_machine/graylog/"

#    my auth stuff
#    ...

        Require valid-user

    RewriteEngine On
    RewriteCond %{REMOTE_USER} (.*)
    RewriteRule .* - [E=X_REMOTE_USER:%1]
    RequestHeader set REMOTE_USER %{X_REMOTE_USER}e
    RequestHeader unset Authorization

  • I got trusted_proxy set
  • The user my_user exists and has { “external_user”: false } set
  • If I do: RequestHeader set REMOTE_USER my_user the user is logged in

I read this:

and it seems to me that SSO should be possible by setting the REMOTE_USER header. I will need to create the users manually and I am ok with that.

  • OS Information: Centos 8
  • Package Version: Graylog 4.2.13

Is this approch viable at all?
Why is the request to graylog/api not authenticated?
How can I debug this?
Any Ideas are welcome, thanks!

Hello @Robert1

To be honest, I could not get it to work either. Only way I was able to get SSO to work was install the Enterprise/Operation version for testing. Maybe some one else here was able to achieve this.

Hello @gsmith,
thanks for the reply.
It seems @marif made it work as stated here:

It would be great if he could help.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.