ADFS 4.0 WinServer 2016 oauth2 settings for chronograf single signon

#1

Folks,
I am trying to set SSO using auth2/openid with chronograf using adfs 4.0 as identity provider.
I am passing following auth2 settings via the env variables to chronograf but i keep getting invalid principal from adfs (my identity provider). Will appreciate any help you can provide:
chronograf side settings =>
BASE_PATH=/chronograf
PREFIX_ROUTES=true
GENERIC_CLIENT_ID=xxxxxxx
GENERIC_CLIENT_SECRET=xxxxxxxxx
GENERIC_API_URL=https://adfsserver.com/adfs/userinfo
GENERIC_API_KEY=UPN
AUTH_DURATION=1h
GENERIC_SCOPES=openid
TOKEN_SECRET=supersecret
PUBLIC_URL=https://chronoserver.com/chronograf
GENERIC_AUTH_URL=https://adfsserver.com/adfs/oauth2/authorize
GENERIC_TOKEN_URL=https://adfsserver.com/adfs/oauth2/token

ADFS side settings =>
Redirect URI set to https://chronoserver.com/chronograf/chronograf/oauth/generic/callback

I see authorization code being returned but with error

Mar 23 18:41:29 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:29Z” level=debug msg=Request component=server method=GET remote_addr=“10.93.76.222:4087” url=/chronograf/oauth/generic/login
Mar 23 18:41:29 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:29Z” level=info msg=“Response: Temporary Redirect” component=server method=GET remote_addr=“10.93.76.222:4087” response_time=“142.378µs” status=307

Mar 23 18:41:29 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:29Z” level=debug msg=Request component=server method=GET remote_addr=“10.93.76.222:4087” url=/chronograf/chronograf/oauth/generic/callback?code=MM2lymiuXEe1cAclb9IHjg.6xJIse2Q1QgfAIp-wJ6uPxVaoZA.kVAJkTty3LIQPVOrlHllRo0ZkoQbW_Y56_Sb0vtIbpWnNifjv-w0O8dNYhnkS-_Zr6rRC4txt79KrRXBs7NQ-vmY9H6HL4zbFDDVAhs63j_SGvRocZRbuR01NZDk6TFAtjFZI9fnZ00HXjeb-EfOv8sLxD7F-ryDOWeA6OxR8I2ONuPvFtyeaUZ9kNqDRrpZteQmtjJYX9IHX9v-zmFZ6N-H3GNpvnu9aUDwW_SgwkQZQCsgMooclgNPdQOwA-S11MDvPP7O4noY-tTW0JcGPosZJVFOWl83eQt76Td8A5JvnAX7rH9m-xwhku0HfkLOzPiwKQWbv4dz5VVGm1_G_Q&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MjE4MzEwODksImlhdCI6MTUyMTgzMDQ4OSwibmJmIjoxNTIxODMwNDg5LCJzdWIiOiI1VW1UZ1BDdE1oS0pXVEM0Nnd3cCtNOGN2V3pDSmc1bHhxMGVmeWJacDBNPSJ9._CKXq9Wzq9S8o3wSr-MFJT2ycOmA-aaVHjv8n_gtiYo
Mar 23 18:41:29 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:29Z” level=info msg=“Serving assets” component=server method=GET remote_addr=“10.93.76.222:4087” url=/chronograf/oauth/generic/callback?code=MM2lymiuXEe1cAclb9IHjg.6xJIse2Q1QgfAIp-wJ6uPxVaoZA.kVAJkTty3LIQPVOrlHllRo0ZkoQbW_Y56_Sb0vtIbpWnNifjv-w0O8dNYhnkS-_Zr6rRC4txt79KrRXBs7NQ-vmY9H6HL4zbFDDVAhs63j_SGvRocZRbuR01NZDk6TFAtjFZI9fnZ00HXjeb-EfOv8sLxD7F-ryDOWeA6OxR8I2ONuPvFtyeaUZ9kNqDRrpZteQmtjJYX9IHX9v-zmFZ6N-H3GNpvnu9aUDwW_SgwkQZQCsgMooclgNPdQOwA-S11MDvPP7O4noY-tTW0JcGPosZJVFOWl83eQt76Td8A5JvnAX7rH9m-xwhku0HfkLOzPiwKQWbv4dz5VVGm1_G_Q&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MjE4MzEwODksImlhdCI6MTUyMTgzMDQ4OSwibmJmIjoxNTIxODMwNDg5LCJzdWIiOiI1VW1UZ1BDdE1oS0pXVEM0Nnd3cCtNOGN2V3pDSmc1bHhxMGVmeWJacDBNPSJ9._CKXq9Wzq9S8o3wSr-MFJT2ycOmA-aaVHjv8n_gtiYo
Mar 23 18:41:29 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:29Z” level=info msg=“Response: OK” component=server method=GET remote_addr=“10.93.76.222:4087” response_time=1.272014ms status=200

Mar 23 18:41:30 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:30Z” level=debug msg=Request component=server method=GET remote_addr=“10.93.76.222:4087” url=/chronograf/chronograf/v1
Mar 23 18:41:30 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:30Z” level=info msg=“Response: OK” component=server method=GET remote_addr=“10.93.76.222:4087” response_time=“111.008µs” status=200
Mar 23 18:41:30 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:30Z” level=debug msg=Request component=server method=GET remote_addr=“10.93.76.222:4087” url=/chronograf/chronograf/v1/me
Mar 23 18:41:30 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:30Z” level=error msg="Invalid principal" component=“token_auth” method=GET remote_addr=“10.93.76.222:4087” url=/chronograf/chronograf/v1/me
Mar 23 18:41:30 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:30Z” level=info msg="Response: Forbidden" component=server method=GET remote_addr=“10.93.76.222:4087” response_time=“56.222µs” status=403

Has anyone used ADFS4.0 for auth2 SSO with chrono?