This repository has been archived by the owner on May 27, 2024. It is now read-only.
adding a filter to check if SSO headers while session is active #40
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
|
|
A pre-built module is available here vor everyone who wants to test this module: https://github.com/ahus1/graylog-plugin-auth-sso/releases/tag/build_003 |
|
I've re-based and re-checked this for Graylog 3.0 and it still works for me. I'm looking forward to a comment and/or merge. Thanks! |
|
@ahus1 Thank you for the contribution! Graylog 4.0 now includes the core parts of this plugin by default and we are working on a similar change for that in Graylog2/graylog2-server#9459. |
|
@bernd - happy to hear that the functionality will be in core soon. Feel free to close this PR once the other PR has been merged. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I've added a filter that checks if the relevant SSO headers change during a session. close #35
Concept: If the SSO headers change, the existing session is terminated and the next request will re-authenticate the user.
Check for the user name: the SSO header is checked against the name of the principal. If it doesn't match, the session is terminated.
Check for the user roles: only active if "sync user roles" is active. On the first request with a session the headers are validated against the user's roles in the database. The validated header value is cached in the session for subsequent requests to avoid hitting LDAP/database on every request. If the validation fails, the session is terminated.
Environment used for development/testing: Graylog 2.5.1 in a docker setup as described in the manual. Chrome as a browser with a "Modify Headers" plugin installed to simulate SSO Headers. SSO Plugin installed and sync user roles active.
Test Scenario: