Chronograf Authentication issue when using Azure AD

Telegraf
1

Greetings, I am trying to use Azure AD Authentication for Chronograf (version 1.6.2) but running into issues.

My Azure Admin and I followed these instruction Managing Chronograf security | Chronograf 1.6 Documentation

Here are the configurations:

Path : /etc/default/chronograf

################################################

TLS_CERTIFICATE=/etc/ssl/< domain.cert>

TLS_PRIVATE_KEY=/etc/ssl/< domain.key>

PORT=8888

LOG_LEVEL=info

USE_ID_TOKEN = true

GENERIC_NAME = AzureAD

GENERIC_CLIENT_ID = <ID>

GENERIC_CLIENT_SECRET = <secret>

GENERIC_SCOPES = openid email name

GENERIC_AUTH_URL = https://login.microsoftonline.com/&lt;ID&gt; /oauth2/authorize

GENERIC_TOKEN_URL = https://login.microsoftonline.com/&lt;ID&gt; /oauth2/token

GENERIC_API_URL = https://login.microsoftonline.com/&lt;ID&gt;/openid/userinfo

GENERIC_API_KEY = sub

JWKS_URL = https://login.microsoftonline.com/common/discovery/keys

PUBLIC_URL = https://<domain>:8888

TOKEN_SECRET <secret>

#############################################################

The ā€œLog in with AzureADā€ button is showing up but when I click on it nothing happens. This is the URL that I get https://<domain>:8888/login?redirect=%2F

My AD Amin stated that the oauth worked, but Chronograf is denying access. I am confused as to why that is so. Are there some additional parameters I need to set?

I am using Chro

Chronograf Log Info:

Sep 21 07:27:30 iotinfluxdb.novalocal chronograf[31883]: time="2018-09-21T07:27:30-07:00" level=info msg="User ā€œā€ is authenticated" component=auth method=GET remote_addr="<IP>:62554" url=/oauth/azuread/callback?code=AQABAAIAAADXzZ3ifr-GRbDT45zNSEFEOxP5OHA9C_IyRSSRN5i7vMpF4FZBVRkwQVsjGm_XFy8RCMSkmxWQUg0pPS0BDuqYUQm3SpniOUrVIJmg-GEF7MlM6lj5VfHVk_Zs5gDz8eVlykIjdLQ-1_SkfryauGekuqE7NeS7RYZdwrxp9buln4qwTU636LBT4tSuh9EpiAwYFZ-9LbyzW6RkAyoxguFkEnKd5_7MF4P1jf5TsQEU8OD_HyPkVXqzOftkwF2o-g-eOUC4qVPyHNz8ydDQf8yP_1wA4vGrjpHDoW-k-7tp0NscxrcO4Ogr8-1L3KbS-bHmbtwkVrJwNyzSCR8zGew1abq7uAKpWzWNTqV56KBvbouTdKhV-2tj6uSf0UbJvJg5I0PMCdV3OhpTwqCDKju6HLaeM1wJvQoyd51xnVQCLMg9T8lHn9-t498w1RpbODAQ0EYfJb_QMTt4Tknt1XUgI3u_KdMQsE7y-D2R-oktUV0stvXr-x3gJtWOtJ_OWDeVK8C0QV8IfXv36suhei-sEwus8-LaxeDVF3AM5XxG4zTGaM_OOLE3U9_CKq4MSkmyRhWVfGJA3bYS4FmjgxLD0CGta-7o_DGr69OsHvVuBjfGNMFoNgcpsn52F6fAoZn_K12htxRxEaJcqSgPRR8C0mYS2RGp2r9WY8-fZH5pmbnhJYo5lEbSYikPfO05D8P8JIK6UT-OA4YsgfyBFaDGIAA&state=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1Mzc1NDA2NTAsImlhdCI6MTUzNzU0MDA1MCwibmJmIjoxNTM3NTQwMDUwLCJzdWIiOiJXdGkxbitiVUpqM1ZFQWFVMmpEUnpTV0JZOFBwOXQwWTI1eU9JbDdFdy93PSJ9.bDJVl5xda6LzVWdIcWT32wuOXzrsWY-kbwq5UL-cQkI&session_state=f7e704d8-9ea2-497c-a794-e5ee2f0f0d19

Sep 21 07:27:30 iotinfluxdb.novalocal chronograf[31883]: time="2018-09-21T07:27:30-07:00" level=info msg="Response: Temporary Redirect" component=server method=GET remote_addr="<IP>:62554" response_time=274.337106ms status=307

Sep 21 07:27:30 iotinfluxdb.novalocal chronograf[31883]: time="2018-09-21T07:27:30-07:00" level=info msg="Response: OK" component=server method=GET remote_addr="<IP>:62554" response_time="243.451Āµs" status=200

Sep 21 07:27:30 iotinfluxdb.novalocal chronograf[31883]: time="2018-09-21T07:27:30-07:00" level=error msg="Error message This Chronograf is private. To gain access, you must be explicitly added by an administrator." component=server http_status =403

Sep 21 07:27:30 iotinfluxdb.novalocal chronograf[31883]: time="2018-09-21T07:27:30-07:00" level=info msg="Response: Forbidden" component=server method=GET remote_addr="<IP>:62554" response_time="436.072Āµs" status=403

Any help would greatly be appreciated.

1 Like
2

Hi,

I was able to get Azure AD working with Grafana in 20 minutes. So I am confused as to why Chronograf is so challenging to get working. Has anyone got it working with Azure AD?

Chronograf Engineers, I would greatly appreciate any help that you can provide.

Thanks.

1 Like
3

Would be interesting to know if you were able to make this work. Weā€™re thinking of using Azure AD for authentication as well.

4

Hi,

Sorry for the late update. It took some time to figure out the issue. It was a combination of things but here is what should work for you.

TENENT=TENENT
GENERIC_NAME=AzureAD
GENERIC_CLIENT_ID=Client ID
GENERIC_CLIENT_SECRET=Client Secret
GENERIC_SCOPES=openid
GENERIC_AUTH_URL=https://login.microsoftonline.com/TENENT/oauth2/authorize?resource=https://graph.windows.net
GENERIC_TOKEN_URL=https://login.microsoftonline.com/TENENT/oauth2/token
GENERIC_API_URL=https://graph.windows.net/TENENT/me?api-version=1.6
GENERIC_API_KEY=userPrincipalName
PUBLIC_URL=PUBLIC_URL
TOKEN_SECRET=TOKEN_SECRET

Before login, please make sure your AD account is a SuperAdmin in Chronograf.

Here is how you check:
/usr/bin/chronoctl list-users

If the user is not listed add the user:

  1. STOP your Chronograf service

  2. Set the [$BOLT_PATH] to your chronograf-v1.db - (ex cmd: export BOLT_PATH=/etc/default/chronograf-v1.db)

  3. Re-run /usr/bin/chronoctl list-users and get ID value

  4. Run /usr/bin/chronoctl add-superadmin -i (your_id)

  5. START your Chronograf service

Thank you, Craig and Team, from InfluxDB.

2 Likes
5

Hey, thanks for posting this! Whatā€™s the ā€œTENENTā€ variable/value for?

6

Detailed walkthrough of the setup is here:

7

Hi Tim,

hope you can help because IĀ“m really frustrated. IĀ“ve started a theard because the walkthrough doesnt work. IĀ“ve created the configuration /etc/default/chronograf but noothing happens. When I open the browser - IĀ“m already logged in. I only can connect to Chronograf through a jump host within the customers environment - is this the issue?

Greetings

Steven

8

Hi Steven, jumping in for Tim. Iā€™m going to need a little more information to see where the issue might be. We may want switch over to our InfluxDB Slack Community channel and exchange some info. Iā€™d like to see your Chronograf config file. Did you try clearing your browser cache?

My users name is :@chobbs
on our slack community - sign in and message me in the #general channel.

9

Hi Chobbs,

thanks for reaching out. Attached is the Chronograf conf file.

Chronograf%20conf
Chronograf conf.PNG1547Ɨ332 136 KB

The browser cache is clear - IĀ“ve done this several times.

FYI: because of the configuration we only can access Chronograf via an Jump Host VM. VM has only a private IP.

10

Thanks Steven - The config looks correct. Could I ask you to send me an email?

craig@influxdata.com

11

Hi Chobbs,

perfect will send you an email.

Greetings

Steven

14

I got the following configuration working after following the errors returned. It seems like the documentation is outdated. Modified GENERIC_API_KEY, add USE_ID_TOKEN, and add JWKS_URL.

    GENERIC_TOKEN_URL: "https://login.microsoftonline.com/${tenantId}/oauth2/token"
    TENANT: "${tenantId}"
    GENERIC_NAME: "AzureAD"
    GENERIC_API_KEY: "upn"
    GENERIC_SCOPES: "openid"
    GENERIC_CLIENT_ID: ${applicationId}
    GENERIC_AUTH_URL: "https://login.microsoftonline.com/${tenantId}/oauth2/authorize?resource=https://graph.windows.net"
    GENERIC_CLIENT_SECRET: ${applicationSecret}
    USE_ID_TOKEN: true
    JWKS_URL: "https://login.microsoftonline.com/${tenantId}/discovery/v2.0/keys"
    TOKEN_SECRET: secret
    GENERIC_API_URL: "https://graph.windows.net/${tenantId}/me?api-version=1.6"
    PUBLIC_URL: "https://${hostname}"

I hope this helps!!