Hi there Let me confess that I have an agenda of wanting graylog-web to support SAML, but from my google-ing about I can also see others have asked for Kerberos, Basic, etc authentication to be added to graylog-web.
That is actually sounding like a whole lot of work... I was wondering if an alternative would be to make it "somebody else's problem". ie put a web server (like apache) in front of graylog-web, and configure it with any of the thousand authentication systems it supports - and configure apache to reflect that "user metadata" via HTTP headers - so that graylog-web can just use that instead eg the following pseudo-code would make apache support SAML (via mod_auth_mellon) and push some of the SAML-gained account data to graylog-web via HTTP headers <LocationMatch "^/"> AuthType "Mellon" Require valid-user MellonUser "uid" MellonSetEnv "e-mail" "mail" RequestHeader set X-Apache-UID %{MELLON_uid}e RequestHeader set X-Apache-Email %{MELLON_e-mail}e RequestHeader set X-Apache-Name %{MELLON_cn}e ProxyPass http://127.0.0.1:9000/ ProxyPassReverse http://127.0.0.1:9000/ </LocationMatch> Then all that would remain to do would be to secure graylog-web by running it only on 127.0.0.1:9000 and bringing up apache over HTTPS on 443. And the only new code for graylog-web would be that it could be configured in "reverse proxy" mode and to map arbitrary headers to authentication details it allows to be set (hence my choice of username/email/name, as the current LDAP implementation uses them too) Just an idea.. :-) Jason -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.