Skip to content
This repository was archived by the owner on May 27, 2024. It is now read-only.

adding a filter to check if SSO headers while session is active#40

Open
ahus1 wants to merge 1 commit intoGraylog2:masterfrom
ahus1:user_check
Open

adding a filter to check if SSO headers while session is active#40
ahus1 wants to merge 1 commit intoGraylog2:masterfrom
ahus1:user_check

Conversation

@ahus1
Copy link

@ahus1 ahus1 commented Jan 20, 2019

I've added a filter that checks if the relevant SSO headers change during a session. close #35

Concept: If the SSO headers change, the existing session is terminated and the next request will re-authenticate the user.

Check for the user name: the SSO header is checked against the name of the principal. If it doesn't match, the session is terminated.

Check for the user roles: only active if "sync user roles" is active. On the first request with a session the headers are validated against the user's roles in the database. The validated header value is cached in the session for subsequent requests to avoid hitting LDAP/database on every request. If the validation fails, the session is terminated.

Environment used for development/testing: Graylog 2.5.1 in a docker setup as described in the manual. Chrome as a browser with a "Modify Headers" plugin installed to simulate SSO Headers. SSO Plugin installed and sync user roles active.

Test Scenario:

  • Set Header "Remote-User: admin" and "Roles: admin"
  • Open Graylog. Session created for admin, showing "admin" in upper right corner
  • Change headers to "Remote-User: guest" and "Roles: admin"
  • Browser will automatically refresh and show user "guest" in upper right corner
  • Change headers to "Remote-User: guest" and "Roles: reader"
  • Browser will automatically refresh and show reduced menu set. If you've been viewing a page that is not available to the reader role, the Graylog front end will redirect to the "Not Found" page with the ape

@CLAassistant
Copy link

CLAassistant commented Jan 20, 2019
edited
Loading

CLA assistant check
All committers have signed the CLA.

@ahus1 ahus1 mentioned this pull request Jan 20, 2019
Closed
@ahus1
Copy link
Author

ahus1 commented Feb 8, 2019

A pre-built module is available here vor everyone who wants to test this module:

https://github.com/ahus1/graylog-plugin-auth-sso/releases/tag/build_003

@ahus1
Copy link
Author

ahus1 commented Mar 16, 2019

I've re-based and re-checked this for Graylog 3.0 and it still works for me. I'm looking forward to a comment and/or merge.

Thanks!

@malcyon malcyon requested a review from bernd August 5, 2020 15:11
@bernd
Copy link
Member

bernd commented Dec 1, 2020

@ahus1 Thank you for the contribution! Graylog 4.0 now includes the core parts of this plugin by default and we are working on a similar change for that in Graylog2/graylog2-server#9459.

@bernd bernd removed their request for review December 1, 2020 17:44
@ahus1
Copy link
Author

ahus1 commented Dec 1, 2020

@bernd - happy to hear that the functionality will be in core soon. Feel free to close this PR once the other PR has been merged.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

ready-for-review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Once a graylog session exists, the user name is not checked on subsequent requests if SSO user name has changed

4 participants

@ahus1 @CLAassistant @bernd @jalogisch