Closed finalbeta closed 7 years ago
Currently graylog uses basic auth for internal session identification. So it is pain to use any auth ways, that depends on Authorization header :(
Yes, we are unlikely to switch to a different authentication method for the web interface at this point, mostly because switching would render using the REST API much more difficult for every existing client, meaning that we would break the API for everyone accessing it directly.
That said, I'm not against the idea of allowing to choose authentication methods, but we as core developers are very unlikely to address this any time soon. IOW we would welcome pull requests as a form of discussion.
Intro
Hi, I'm bringing this up because of I problem I had myself, and the issues I've seen in the other Github posts on the SSO plugin in combination with apache (I'm using a loadbalancer product myself).
Problem description: Allow SSO Plugin to support basic access authentication
Setting the HTTP headers to the values needed for the SSO process is not supported by every reverse proxy.
Environment
Suggestion
All reverse proxy/loadbalancers are able to provide Basic authorization to the backend servers. Adding basic authorization to Graylog linked with ldap would allow the user to be authenticated by more reverse proxy sollutions/loadbalancers etc and would still allow Graylog to get all needed user information/ perform group mapping etc. (this is the method I've seen used in many products) This would probably require graylog to allow you to set the IP's for which you want to provide this authentication method.