OIDC
  • 09 Aug 2022
  • 3 Minutes to read
  • Dark
    Light

OIDC

  • Dark
    Light

Graylog 4.2 introduces generic OpenID Connect (OIDC) authentication on-premise, ensuring your Graylog login may be managed with a variety of OIDC-compliant identity providers.

Identity Providers and Graylog

These providers have been tested successfully with Graylog; however, you are encouraged to explore authentication with any OIDC-compliant provider that best fits your needs and environment.

Google hd Claim Authentication Parameter

Important

When using OIDC with Google, you can restrict access to only members of your G Suite domain by adding an hd claim that matches your G Suite domain name. You must set this parameter to restrict access. Otherwise, anyone with an authenticated Google account can access your Graylog instance.

This is strongly recommended as a best practice for all but is especially necessary for self-managed, publicly available Graylog instances.

Configuration

  1. To set this authentication parameter, navigate to the Authentication page and select "Edit" next to your Google authentication service.

OIDC_Edit

  1. In the "Claims" menu, add the hd claim under "Name" and provide your organization's domain name in the "Value" field.
  2. Select "Add."
Note

Generic OIDC support was first introduced in Graylog Operations 4.2. Support for custom OIDC claims was added in Graylog 4.2.12 and 4.3.5.

For more information regarding the hd claim in Google Identity, see the related Google documentation.

Configuration

To begin you will need to obtain authentication credentials from your provider to configure your OIDC protocol. Navigating each provider’s application will be different, but for this example, we will look at how to set up an OIDC service with Auth0.

Auth0

  1. Log in to your existing Auth0 dashboard; here you will need to create an application for Graylog.
Note

If you have multiple Graylog instances, then you will need to create separate applications in Auth0 for each Graylog instance.

  1. Once the Graylog application has been created, select this application in Auth0 to view your client credentials. These credentials will be required to configure your OIDC service in Graylog.

OIDC_Image_1 (1)

  1. Then, in your Graylog application, navigate to the Authentication page and select Create Service.

OIDC_Image_3

  1. Now you can use the credentials from Auth0 to fill in the following fields and make your selections, including:

    • Title
      • This will be used as the title of the login screen when your users sign into Graylog via your SSO protocol.
    • Description
      • This field is optional and can be used to provide a general description of the identity provider selected.
    • OIDC Base URL
      • This refers to the base URL of your OIDC environment and may be obtained from the credentials provided by Auth0.
    • Callback URL
      • The callback URL will be generated by Graylog beneath this field.
    • Client ID and Client Secret
      • Both of these values will be provided in the Auth0 application.
    • Token Verified Connect Timeout
      • It is recommended that the default value of “10” be selected for this field.
    • Default Role
      • The default role will populate as Reader; this will be the basic level of access needed for most Graylog users and is therefore the recommended selection.
  2. Finally, you will want to select “Server Connection Check” before applying the configuration. Selecting this operation will allow Graylog to perform a basic consistency and connectivity check of the configuration. Any errors detected at this point will be noted by the application before proceeding.

Group Synchronization

Currently, Group Sync is only available with Okta authentication.

Activation

Once you have configured the service, be sure to activate your current service provider to enable the authentication protocol. Only one authentication service may be activated at a time for each Graylog instance. If you change or service provider or need to update your settings, then be sure to activate the new service from this menu.

OIDC_Image_2

Login

Now you will have a new way of logging into Graylog.

OIDC_Image_4

Selecting “Login with Auth0” will take you to the provider’s application to complete your sign on to Graylog.

OIDC_Image_5

Note

If you have any issues with your identity provider, remember that you may always log into Graylog using your default admin credentials by selecting, “Login with default method.”


Was this article helpful?

What's Next