Hep, Anybody has any news about this problematic?
Thx in advance. Regards; On Thursday, December 22, 2016 at 9:56:43 AM UTC+1, Florent Delvaille wrote: > > Hello all, > > I'm currently trying to use Graylog 2.1 with Shibboleth and SSO via our > ADFS, but I have issues and cannot find enough information to make it work. > So, let's try here :) > > I've correctly installed the sso-plugin ( > https://github.com/Graylog2/graylog-plugin-auth-sso). > Also, I've installed shibboleth + configured ADFS correctly with > Metadata.xml and so on. > > Our AD expert confirms that the exchange made between Shibboleth and ADFS > is correct and works fine. > > I've change the Graylog authentication order, and set SSO as first. > > When I'm trying to log, I got a window asking for credentials (so it goes > to ADFS correctly), but then even if validated by ADFS, I always end into > normal graylog credentials window … > > ADFS will provide the following claims to Shibboleth: > <Attribute name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"; > nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" > id="Remote-Upn" /> > <Attribute name="http://schemas.xmlsoap.org/claims/commonname"; > nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" > id="Remote-Name" /> > > As you can see, I set the id to Remote-Upn and Remote-Name. > > I've also correctly configured Graylog (in web interface) to make sure to > use Remote-Upn and Remote-Name ( > http://docs.graylog.org/en/2.1/_images/sso_1.png) > > Please note that I'm using graylog with HTTPS, and use Apache as > reverse-proxy: > <VirtualHost *:443> > SSLEngine on > SSLCertificateFile "/etc/graylog/ssl/graylog.onprvp.fgov.be.cer" > SSLCertificateKeyFile "/etc/graylog/ssl/graylog.onprvp.fgov.be.key" > > ServerName graylog.onprvp.fgov.be > ProxyRequests Off > <Proxy *> > Order deny,allow > Allow from all > </Proxy> > > <Location /> > RequestHeader set X-Graylog-Server-URL " > https://graylog.onprvp.fgov.be/api/"; > RequestHeader set X-Remote-User %{Remote-Upn}s > ShibRequestSetting requireSession 1 > AuthType shibboleth > ShibExportAssertion Off > Require valid-user > ProxyPass http://127.0.0.1:9000/ > ProxyPassReverse http://127.0.0.1:9000/ > </Location> > CustomLog /var/log/httpd/proxy/graylog2/access_log combined > > </VirtualHost> > > > If somebody can provide me some help, it would be really nice :) > > Thanks in advance. > > Regards; > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/88407aeb-b2bc-4b49-83b9-a3fcf6042a41%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
