Chronograf Authentication issue when using Azure AD

Greetings, I am trying to use Azure AD Authentication for Chronograf (version 1.6.2) but running into issues.

My Azure Admin and I followed these instruction https://docs.influxdata.com/chronograf/v1.6/administration/managing-security/#configuring-generic-authentication

Here are the configurations:

Path : /etc/default/chronograf

################################################

TLS_CERTIFICATE=/etc/ssl/< domain.cert>

TLS_PRIVATE_KEY=/etc/ssl/< domain.key>

PORT=8888

LOG_LEVEL=info

USE_ID_TOKEN = true

GENERIC_NAME = AzureAD

GENERIC_CLIENT_ID = <ID>

GENERIC_CLIENT_SECRET = <secret>

GENERIC_SCOPES = openid email name

GENERIC_AUTH_URL = https://login.microsoftonline.com/<ID> /oauth2/authorize

GENERIC_TOKEN_URL = https://login.microsoftonline.com/<ID> /oauth2/token

GENERIC_API_URL = https://login.microsoftonline.com/<ID>/openid/userinfo

GENERIC_API_KEY = sub

JWKS_URL = https://login.microsoftonline.com/common/discovery/keys

PUBLIC_URL = https://<domain>:8888

TOKEN_SECRET <secret>

#############################################################

The “Log in with AzureAD” button is showing up but when I click on it nothing happens. This is the URL that I get https://<domain>:8888/login?redirect=%2F

My AD Amin stated that the oauth worked, but Chronograf is denying access. I am confused as to why that is so. Are there some additional parameters I need to set?

I am using Chro

Chronograf Log Info:

Sep 21 07:27:30 iotinfluxdb.novalocal chronograf[31883]: time="2018-09-21T07:27:30-07:00" level=info msg="User “” is authenticated" component=auth method=GET remote_addr="<IP>:62554" url=/oauth/azuread/callback?code=AQABAAIAAADXzZ3ifr-GRbDT45zNSEFEOxP5OHA9C_IyRSSRN5i7vMpF4FZBVRkwQVsjGm_XFy8RCMSkmxWQUg0pPS0BDuqYUQm3SpniOUrVIJmg-GEF7MlM6lj5VfHVk_Zs5gDz8eVlykIjdLQ-1_SkfryauGekuqE7NeS7RYZdwrxp9buln4qwTU636LBT4tSuh9EpiAwYFZ-9LbyzW6RkAyoxguFkEnKd5_7MF4P1jf5TsQEU8OD_HyPkVXqzOftkwF2o-g-eOUC4qVPyHNz8ydDQf8yP_1wA4vGrjpHDoW-k-7tp0NscxrcO4Ogr8-1L3KbS-bHmbtwkVrJwNyzSCR8zGew1abq7uAKpWzWNTqV56KBvbouTdKhV-2tj6uSf0UbJvJg5I0PMCdV3OhpTwqCDKju6HLaeM1wJvQoyd51xnVQCLMg9T8lHn9-t498w1RpbODAQ0EYfJb_QMTt4Tknt1XUgI3u_KdMQsE7y-D2R-oktUV0stvXr-x3gJtWOtJ_OWDeVK8C0QV8IfXv36suhei-sEwus8-LaxeDVF3AM5XxG4zTGaM_OOLE3U9_CKq4MSkmyRhWVfGJA3bYS4FmjgxLD0CGta-7o_DGr69OsHvVuBjfGNMFoNgcpsn52F6fAoZn_K12htxRxEaJcqSgPRR8C0mYS2RGp2r9WY8-fZH5pmbnhJYo5lEbSYikPfO05D8P8JIK6UT-OA4YsgfyBFaDGIAA&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1Mzc1NDA2NTAsImlhdCI6MTUzNzU0MDA1MCwibmJmIjoxNTM3NTQwMDUwLCJzdWIiOiJXdGkxbitiVUpqM1ZFQWFVMmpEUnpTV0JZOFBwOXQwWTI1eU9JbDdFdy93PSJ9.bDJVl5xda6LzVWdIcWT32wuOXzrsWY-kbwq5UL-cQkI&session_state=f7e704d8-9ea2-497c-a794-e5ee2f0f0d19

Sep 21 07:27:30 iotinfluxdb.novalocal chronograf[31883]: time="2018-09-21T07:27:30-07:00" level=info msg="Response: Temporary Redirect" component=server method=GET remote_addr="<IP>:62554" response_time=274.337106ms status=307

Sep 21 07:27:30 iotinfluxdb.novalocal chronograf[31883]: time="2018-09-21T07:27:30-07:00" level=info msg="Response: OK" component=server method=GET remote_addr="<IP>:62554" response_time="243.451µs" status=200

Sep 21 07:27:30 iotinfluxdb.novalocal chronograf[31883]: time="2018-09-21T07:27:30-07:00" level=error msg="Error message This Chronograf is private. To gain access, you must be explicitly added by an administrator." component=server http_status =403

Sep 21 07:27:30 iotinfluxdb.novalocal chronograf[31883]: time="2018-09-21T07:27:30-07:00" level=info msg="Response: Forbidden" component=server method=GET remote_addr="<IP>:62554" response_time="436.072µs" status=403

Any help would greatly be appreciated.

1 Like

Hi,

I was able to get Azure AD working with Grafana in 20 minutes. So I am confused as to why Chronograf is so challenging to get working. Has anyone got it working with Azure AD?

Chronograf Engineers, I would greatly appreciate any help that you can provide.

Thanks.

1 Like

Would be interesting to know if you were able to make this work. We’re thinking of using Azure AD for authentication as well.

Hi,

Sorry for the late update. It took some time to figure out the issue. It was a combination of things but here is what should work for you.

TENENT=TENENT
GENERIC_NAME=AzureAD
GENERIC_CLIENT_ID=Client ID
GENERIC_CLIENT_SECRET=Client Secret
GENERIC_SCOPES=openid
GENERIC_AUTH_URL=https://login.microsoftonline.com/TENENT/oauth2/authorize?resource=https://graph.windows.net
GENERIC_TOKEN_URL=https://login.microsoftonline.com/TENENT/oauth2/token
GENERIC_API_URL=https://graph.windows.net/TENENT/me?api-version=1.6
GENERIC_API_KEY=userPrincipalName
PUBLIC_URL=PUBLIC_URL
TOKEN_SECRET=TOKEN_SECRET

Before login, please make sure your AD account is a SuperAdmin in Chronograf.

Here is how you check:
/usr/bin/chronoctl list-users

If the user is not listed add the user:

  1. STOP your Chronograf service

  2. Set the [$BOLT_PATH] to your chronograf-v1.db - (ex cmd: export BOLT_PATH=/etc/default/chronograf-v1.db)

  3. Re-run /usr/bin/chronoctl list-users and get ID value

  4. Run /usr/bin/chronoctl add-superadmin -i (your_id)

  5. START your Chronograf service

Thank you, Craig and Team, from InfluxDB.

2 Likes

Hey, thanks for posting this! What’s the “TENENT” variable/value for?

Detailed walkthrough of the setup is here:
https://www.influxdata.com/blog/securing-chronograf-with-oauth-2-0-in-microsoft-azure-active-directory/

Hi Tim,

hope you can help because I´m really frustrated. I´ve started a theard because the walkthrough doesnt work. I´ve created the configuration /etc/default/chronograf but noothing happens. When I open the browser - I´m already logged in. I only can connect to Chronograf through a jump host within the customers environment - is this the issue?

Greetings

Steven

Hi Steven, jumping in for Tim. I’m going to need a little more information to see where the issue might be. We may want switch over to our InfluxDB Slack Community channel and exchange some info. I’d like to see your Chronograf config file. Did you try clearing your browser cache?

My users name is :@chobbs
on our slack community - sign in and message me in the #general channel.

Hi Chobbs,

thanks for reaching out. Attached is the Chronograf conf file.


The browser cache is clear - I´ve done this several times.

FYI: because of the configuration we only can access Chronograf via an Jump Host VM. VM has only a private IP.

Thanks Steven - The config looks correct. Could I ask you to send me an email?

craig@influxdata.com

Hi Chobbs,

perfect will send you an email.

Greetings

Steven

I got the following configuration working after following the errors returned. It seems like the documentation is outdated. Modified GENERIC_API_KEY, add USE_ID_TOKEN, and add JWKS_URL.

    GENERIC_TOKEN_URL: "https://login.microsoftonline.com/${tenantId}/oauth2/token"
    TENANT: "${tenantId}"
    GENERIC_NAME: "AzureAD"
    GENERIC_API_KEY: "upn"
    GENERIC_SCOPES: "openid"
    GENERIC_CLIENT_ID: ${applicationId}
    GENERIC_AUTH_URL: "https://login.microsoftonline.com/${tenantId}/oauth2/authorize?resource=https://graph.windows.net"
    GENERIC_CLIENT_SECRET: ${applicationSecret}
    USE_ID_TOKEN: true
    JWKS_URL: "https://login.microsoftonline.com/${tenantId}/discovery/v2.0/keys"
    TOKEN_SECRET: secret
    GENERIC_API_URL: "https://graph.windows.net/${tenantId}/me?api-version=1.6"
    PUBLIC_URL: "https://${hostname}"

I hope this helps!!