Hi! The problem with the “let graylog web pass on things” idea is that it is not the web interface that decides on authentication/authorization at all, but the server (in fact, all servers in the cluster do so). What the web interface does is to pass on the entered credentials, and the server verifies against internal and external sources, then if those check out it creates a session in mongodb, which is then stored in the cookie and passed through on every request.
Thus it is important that the server sees the credentials to make its call, a reverse proxy with setting headers would amount to having no real authentication checks at all, which is something we are not really inclined to support at the moment. SAML support so far has not been high on the request list, but if feel strongly about it, please feel free to enter it into our ideas portal: https://www.graylog.org/product-ideas/ <https://www.graylog.org/product-ideas/> That helps us to prioritize community and customer requests better. There seems to be a pac4j based library for SAML and a few other options at https://github.com/bujiio/buji-pac4j <https://github.com/bujiio/buji-pac4j> but the web-based flows will be problematic, due to the nature of which Graylog component actually does the initial authentication. Best regards, Kay > On 23 Jul 2015, at 04:10, Jason Haar <jason_h...@trimble.com> wrote: > > Hi there > > Let me confess that I have an agenda of wanting graylog-web to support SAML, > but from my google-ing about I can also see others have asked for Kerberos, > Basic, etc authentication to be added to graylog-web. > > That is actually sounding like a whole lot of work... I was wondering if an > alternative would be to make it "somebody else's problem". ie put a web > server (like apache) in front of graylog-web, and configure it with any of > the thousand authentication systems it supports - and configure apache to > reflect that "user metadata" via HTTP headers - so that graylog-web can just > use that instead > > eg the following pseudo-code would make apache support SAML (via > mod_auth_mellon) and push some of the SAML-gained account data to graylog-web > via HTTP headers > > <LocationMatch "^/"> > AuthType "Mellon" > Require valid-user > MellonUser "uid" > MellonSetEnv "e-mail" "mail" > RequestHeader set X-Apache-UID %{MELLON_uid}e > RequestHeader set X-Apache-Email %{MELLON_e-mail}e > RequestHeader set X-Apache-Name %{MELLON_cn}e > ProxyPass http://127.0.0.1:9000/ > ProxyPassReverse http://127.0.0.1:9000/ > </LocationMatch> > > Then all that would remain to do would be to secure graylog-web by running it > only on 127.0.0.1:9000 and bringing up apache over HTTPS on 443. And the only > new code for graylog-web would be that it could be configured in "reverse > proxy" mode and to map arbitrary headers to authentication details it allows > to be set (hence my choice of username/email/name, as the current LDAP > implementation uses them too) > > Just an idea.. :-) > > Jason > > -- > You received this message because you are subscribed to the Google Groups > "graylog2" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to graylog2+unsubscr...@googlegroups.com > <mailto:graylog2+unsubscr...@googlegroups.com>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
