graylog-plugin-auth-sso icon indicating copy to clipboard operation
graylog-plugin-auth-sso copied to clipboard
verified publisher icon Graylog2

adding a filter to check if SSO headers while session is active

Open ahus1 opened this issue 7 years ago • 5 comments

I've added a filter that checks if the relevant SSO headers change during a session. close #35

Concept: If the SSO headers change, the existing session is terminated and the next request will re-authenticate the user.

Check for the user name: the SSO header is checked against the name of the principal. If it doesn't match, the session is terminated.

Check for the user roles: only active if "sync user roles" is active. On the first request with a session the headers are validated against the user's roles in the database. The validated header value is cached in the session for subsequent requests to avoid hitting LDAP/database on every request. If the validation fails, the session is terminated.

Environment used for development/testing: Graylog 2.5.1 in a docker setup as described in the manual. Chrome as a browser with a "Modify Headers" plugin installed to simulate SSO Headers. SSO Plugin installed and sync user roles active.

Test Scenario:

  • Set Header "Remote-User: admin" and "Roles: admin"
  • Open Graylog. Session created for admin, showing "admin" in upper right corner
  • Change headers to "Remote-User: guest" and "Roles: admin"
  • Browser will automatically refresh and show user "guest" in upper right corner
  • Change headers to "Remote-User: guest" and "Roles: reader"
  • Browser will automatically refresh and show reduced menu set. If you've been viewing a page that is not available to the reader role, the Graylog front end will redirect to the "Not Found" page with the ape

ahus1 avatar Jan 20 '19 12:01 ahus1

CLA assistant check
All committers have signed the CLA.

CLAassistant avatar Jan 20 '19 12:01 CLAassistant

A pre-built module is available here vor everyone who wants to test this module:

https://github.com/ahus1/graylog-plugin-auth-sso/releases/tag/build_003

ahus1 avatar Feb 08 '19 17:02 ahus1

I've re-based and re-checked this for Graylog 3.0 and it still works for me. I'm looking forward to a comment and/or merge.

Thanks!

ahus1 avatar Mar 16 '19 19:03 ahus1

@ahus1 Thank you for the contribution! Graylog 4.0 now includes the core parts of this plugin by default and we are working on a similar change for that in https://github.com/Graylog2/graylog2-server/pull/9459.

bernd avatar Dec 01 '20 17:12 bernd

@bernd - happy to hear that the functionality will be in core soon. Feel free to close this PR once the other PR has been merged.

ahus1 avatar Dec 01 '20 22:12 ahus1