ADFS 4.0 WinServer 2016 oauth2 settings for chronograf single signon

monitoring_it · March 23, 2018, 6:56pm

Folks,
I am trying to set SSO using auth2/openid with chronograf using adfs 4.0 as identity provider.
I am passing following auth2 settings via the env variables to chronograf but i keep getting invalid principal from adfs (my identity provider). Will appreciate any help you can provide:
chronograf side settings =>
BASE_PATH=/chronograf
PREFIX_ROUTES=true
GENERIC_CLIENT_ID=xxxxxxx
GENERIC_CLIENT_SECRET=xxxxxxxxx
GENERIC_API_URL=https://adfsserver.com/adfs/userinfo
GENERIC_API_KEY=UPN
AUTH_DURATION=1h
GENERIC_SCOPES=openid
TOKEN_SECRET=supersecret
PUBLIC_URL=https://chronoserver.com/chronograf
GENERIC_AUTH_URL=https://adfsserver.com/adfs/oauth2/authorize
GENERIC_TOKEN_URL=https://adfsserver.com/adfs/oauth2/token

ADFS side settings =>
Redirect URI set to https://chronoserver.com/chronograf/chronograf/oauth/generic/callback

I see authorization code being returned but with error

Mar 23 18:41:29 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:29Z” level=debug msg=Request component=server method=GET remote_addr=“10.93.76.222:4087” url=/chronograf/oauth/generic/login
Mar 23 18:41:29 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:29Z” level=info msg=“Response: Temporary Redirect” component=server method=GET remote_addr=“10.93.76.222:4087” response_time=“142.378µs” status=307

Mar 23 18:41:29 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:29Z” level=debug msg=Request component=server method=GET remote_addr=“10.93.76.222:4087” url=/chronograf/chronograf/oauth/generic/callback?code=MM2lymiuXEe1cAclb9IHjg.6xJIse2Q1QgfAIp-wJ6uPxVaoZA.kVAJkTty3LIQPVOrlHllRo0ZkoQbW_Y56_Sb0vtIbpWnNifjv-w0O8dNYhnkS-_Zr6rRC4txt79KrRXBs7NQ-vmY9H6HL4zbFDDVAhs63j_SGvRocZRbuR01NZDk6TFAtjFZI9fnZ00HXjeb-EfOv8sLxD7F-ryDOWeA6OxR8I2ONuPvFtyeaUZ9kNqDRrpZteQmtjJYX9IHX9v-zmFZ6N-H3GNpvnu9aUDwW_SgwkQZQCsgMooclgNPdQOwA-S11MDvPP7O4noY-tTW0JcGPosZJVFOWl83eQt76Td8A5JvnAX7rH9m-xwhku0HfkLOzPiwKQWbv4dz5VVGm1_G_Q&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MjE4MzEwODksImlhdCI6MTUyMTgzMDQ4OSwibmJmIjoxNTIxODMwNDg5LCJzdWIiOiI1VW1UZ1BDdE1oS0pXVEM0Nnd3cCtNOGN2V3pDSmc1bHhxMGVmeWJacDBNPSJ9._CKXq9Wzq9S8o3wSr-MFJT2ycOmA-aaVHjv8n_gtiYo
Mar 23 18:41:29 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:29Z” level=info msg=“Serving assets” component=server method=GET remote_addr=“10.93.76.222:4087” url=/chronograf/oauth/generic/callback?code=MM2lymiuXEe1cAclb9IHjg.6xJIse2Q1QgfAIp-wJ6uPxVaoZA.kVAJkTty3LIQPVOrlHllRo0ZkoQbW_Y56_Sb0vtIbpWnNifjv-w0O8dNYhnkS-_Zr6rRC4txt79KrRXBs7NQ-vmY9H6HL4zbFDDVAhs63j_SGvRocZRbuR01NZDk6TFAtjFZI9fnZ00HXjeb-EfOv8sLxD7F-ryDOWeA6OxR8I2ONuPvFtyeaUZ9kNqDRrpZteQmtjJYX9IHX9v-zmFZ6N-H3GNpvnu9aUDwW_SgwkQZQCsgMooclgNPdQOwA-S11MDvPP7O4noY-tTW0JcGPosZJVFOWl83eQt76Td8A5JvnAX7rH9m-xwhku0HfkLOzPiwKQWbv4dz5VVGm1_G_Q&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1MjE4MzEwODksImlhdCI6MTUyMTgzMDQ4OSwibmJmIjoxNTIxODMwNDg5LCJzdWIiOiI1VW1UZ1BDdE1oS0pXVEM0Nnd3cCtNOGN2V3pDSmc1bHhxMGVmeWJacDBNPSJ9._CKXq9Wzq9S8o3wSr-MFJT2ycOmA-aaVHjv8n_gtiYo
Mar 23 18:41:29 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:29Z” level=info msg=“Response: OK” component=server method=GET remote_addr=“10.93.76.222:4087” response_time=1.272014ms status=200

Mar 23 18:41:30 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:30Z” level=debug msg=Request component=server method=GET remote_addr=“10.93.76.222:4087” url=/chronograf/chronograf/v1
Mar 23 18:41:30 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:30Z” level=info msg=“Response: OK” component=server method=GET remote_addr=“10.93.76.222:4087” response_time=“111.008µs” status=200
Mar 23 18:41:30 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:30Z” level=debug msg=Request component=server method=GET remote_addr=“10.93.76.222:4087” url=/chronograf/chronograf/v1/me
Mar 23 18:41:30 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:30Z” level=error msg="Invalid principal" component=“token_auth” method=GET remote_addr=“10.93.76.222:4087” url=/chronograf/chronograf/v1/me
Mar 23 18:41:30 ip-10-93-73-41 IFLX-TICK-InfluxDBChronografService[4290]: time=“2018-03-23T18:41:30Z” level=info msg="Response: Forbidden" component=server method=GET remote_addr=“10.93.76.222:4087” response_time=“56.222µs” status=403

Has anyone used ADFS4.0 for auth2 SSO with chrono?

sysanalyst · June 22, 2020, 11:32pm

“Has anyone used ADFS4.0 for auth2 SSO with chrono?”

Have never been able to get this to work. The documentation appears to be incomplete, or possibly misleading. If anyone figured this out, please reply. We are using a firewall with SSO to secure this app at the moment.

Topic		Replies	Views
ASFS 2016 Chronograf Authentication - Has anyone ever got this to work? Dashboards	0	418	June 22, 2020
Chronograf configuring generic authentication AD FS 2012 Dashboards chronograf	0	490	August 28, 2019
Chronograf Authentication issue when using Azure AD Telegraf chronograf	11	2457	January 11, 2021
Proxy somehow usable for OAuth 2.0 authentication in Chronograf with Azure AD? Chronograf chronograf , azure	1	430	September 6, 2021
Chronograf reverse proxy login Dashboards chronograf	4	829	May 18, 2020

ADFS 4.0 WinServer 2016 oauth2 settings for chronograf single signon

Related Topics