Chronograf Authentication issue when using Azure AD

chronograf

#1

Greetings, I am trying to use Azure AD Authentication for Chronograf (version 1.6.2) but running into issues.

My Azure Admin and I followed these instruction https://docs.influxdata.com/chronograf/v1.6/administration/managing-security/#configuring-generic-authentication

Here are the configurations:

Path : /etc/default/chronograf

################################################

TLS_CERTIFICATE=/etc/ssl/< domain.cert>

TLS_PRIVATE_KEY=/etc/ssl/< domain.key>

PORT=8888

LOG_LEVEL=info

USE_ID_TOKEN = true

GENERIC_NAME = AzureAD

GENERIC_CLIENT_ID = <ID>

GENERIC_CLIENT_SECRET = <secret>

GENERIC_SCOPES = openid email name

GENERIC_AUTH_URL = https://login.microsoftonline.com/<ID> /oauth2/authorize

GENERIC_TOKEN_URL = https://login.microsoftonline.com/<ID> /oauth2/token

GENERIC_API_URL = https://login.microsoftonline.com/<ID>/openid/userinfo

GENERIC_API_KEY = sub

JWKS_URL = https://login.microsoftonline.com/common/discovery/keys

PUBLIC_URL = https://<domain>:8888

TOKEN_SECRET <secret>

#############################################################

The “Log in with AzureAD” button is showing up but when I click on it nothing happens. This is the URL that I get https://<domain>:8888/login?redirect=%2F

My AD Amin stated that the oauth worked, but Chronograf is denying access. I am confused as to why that is so. Are there some additional parameters I need to set?

I am using Chro

Chronograf Log Info:

Sep 21 07:27:30 iotinfluxdb.novalocal chronograf[31883]: time="2018-09-21T07:27:30-07:00" level=info msg="User “” is authenticated" component=auth method=GET remote_addr="<IP>:62554" url=/oauth/azuread/callback?code=AQABAAIAAADXzZ3ifr-GRbDT45zNSEFEOxP5OHA9C_IyRSSRN5i7vMpF4FZBVRkwQVsjGm_XFy8RCMSkmxWQUg0pPS0BDuqYUQm3SpniOUrVIJmg-GEF7MlM6lj5VfHVk_Zs5gDz8eVlykIjdLQ-1_SkfryauGekuqE7NeS7RYZdwrxp9buln4qwTU636LBT4tSuh9EpiAwYFZ-9LbyzW6RkAyoxguFkEnKd5_7MF4P1jf5TsQEU8OD_HyPkVXqzOftkwF2o-g-eOUC4qVPyHNz8ydDQf8yP_1wA4vGrjpHDoW-k-7tp0NscxrcO4Ogr8-1L3KbS-bHmbtwkVrJwNyzSCR8zGew1abq7uAKpWzWNTqV56KBvbouTdKhV-2tj6uSf0UbJvJg5I0PMCdV3OhpTwqCDKju6HLaeM1wJvQoyd51xnVQCLMg9T8lHn9-t498w1RpbODAQ0EYfJb_QMTt4Tknt1XUgI3u_KdMQsE7y-D2R-oktUV0stvXr-x3gJtWOtJ_OWDeVK8C0QV8IfXv36suhei-sEwus8-LaxeDVF3AM5XxG4zTGaM_OOLE3U9_CKq4MSkmyRhWVfGJA3bYS4FmjgxLD0CGta-7o_DGr69OsHvVuBjfGNMFoNgcpsn52F6fAoZn_K12htxRxEaJcqSgPRR8C0mYS2RGp2r9WY8-fZH5pmbnhJYo5lEbSYikPfO05D8P8JIK6UT-OA4YsgfyBFaDGIAA&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1Mzc1NDA2NTAsImlhdCI6MTUzNzU0MDA1MCwibmJmIjoxNTM3NTQwMDUwLCJzdWIiOiJXdGkxbitiVUpqM1ZFQWFVMmpEUnpTV0JZOFBwOXQwWTI1eU9JbDdFdy93PSJ9.bDJVl5xda6LzVWdIcWT32wuOXzrsWY-kbwq5UL-cQkI&session_state=f7e704d8-9ea2-497c-a794-e5ee2f0f0d19

Sep 21 07:27:30 iotinfluxdb.novalocal chronograf[31883]: time="2018-09-21T07:27:30-07:00" level=info msg="Response: Temporary Redirect" component=server method=GET remote_addr="<IP>:62554" response_time=274.337106ms status=307

Sep 21 07:27:30 iotinfluxdb.novalocal chronograf[31883]: time="2018-09-21T07:27:30-07:00" level=info msg="Response: OK" component=server method=GET remote_addr="<IP>:62554" response_time="243.451µs" status=200

Sep 21 07:27:30 iotinfluxdb.novalocal chronograf[31883]: time="2018-09-21T07:27:30-07:00" level=error msg="Error message This Chronograf is private. To gain access, you must be explicitly added by an administrator." component=server http_status =403

Sep 21 07:27:30 iotinfluxdb.novalocal chronograf[31883]: time="2018-09-21T07:27:30-07:00" level=info msg="Response: Forbidden" component=server method=GET remote_addr="<IP>:62554" response_time="436.072µs" status=403

Any help would greatly be appreciated.


#2

Hi,

I was able to get Azure AD working with Grafana in 20 minutes. So I am confused as to why Chronograf is so challenging to get working. Has anyone got it working with Azure AD?

Chronograf Engineers, I would greatly appreciate any help that you can provide.

Thanks.


#3

Would be interesting to know if you were able to make this work. We’re thinking of using Azure AD for authentication as well.


#4

Hi,

Sorry for the late update. It took some time to figure out the issue. It was a combination of things but here is what should work for you.

TENENT=TENENT
GENERIC_NAME=AzureAD
GENERIC_CLIENT_ID=Client ID
GENERIC_CLIENT_SECRET=Client Secret
GENERIC_SCOPES=openid
GENERIC_AUTH_URL=https://login.microsoftonline.com/TENENT/oauth2/authorize?resource=https://graph.windows.net
GENERIC_TOKEN_URL=https://login.microsoftonline.com/TENENT/oauth2/token
GENERIC_API_URL=https://graph.windows.net/TENENT/me?api-version=1.6
GENERIC_API_KEY=userPrincipalName
PUBLIC_URL=PUBLIC_URL
TOKEN_SECRET=TOKEN_SECRET

Before login, please make sure your AD account is a SuperAdmin in Chronograf.

Here is how you check:
/usr/bin/chronoctl list-users

If the user is not listed add the user:

  1. STOP your Chronograf service

  2. Set the [$BOLT_PATH] to your chronograf-v1.db - (ex cmd: export BOLT_PATH=/etc/default/chronograf-v1.db)

  3. Re-run /usr/bin/chronoctl list-users and get ID value

  4. Run /usr/bin/chronoctl add-superadmin -i (your_id)

  5. START your Chronograf service

Thank you, Craig and Team, from InfluxDB.