diff --git a/conf/sample.ini b/conf/sample.ini index b5c2e2eae2f..960d84ff9b9 100644 --- a/conf/sample.ini +++ b/conf/sample.ini @@ -308,6 +308,12 @@ # Controls if old angular plugins are supported or not. This will be disabled by default in future release ;angular_support_enabled = true +# List of additional allowed URLs to pass by the CSRF check, separated by spaces. Suggested when authentication comes from an IdP. +;csrf_trusted_origins = example.com + +# List of allowed headers to be set by the user, separated by spaces. Suggested to use for if authentication lives behind reverse proxies. +;csrf_additional_headers = + [security.encryption] # Defines the time-to-live (TTL) for decrypted data encryption keys stored in memory (cache). # Please note that small values may cause performance issues due to a high frequency decryption operations. diff --git a/docs/sources/setup-grafana/configure-grafana/_index.md b/docs/sources/setup-grafana/configure-grafana/_index.md index ce8223697f6..61db9c50468 100644 --- a/docs/sources/setup-grafana/configure-grafana/_index.md +++ b/docs/sources/setup-grafana/configure-grafana/_index.md @@ -611,6 +611,14 @@ Current core features that will stop working: Before we disable angular support by default we plan to migrate these remaining areas to React. +### csrf_trusted_origins + +List of additional allowed URLs to pass by the CSRF check. Suggested when authentication comes from an IdP. + +### csrf_additional_headers + +List of allowed headers to be set by the user. Suggested to use for if authentication lives behind reverse proxies. + ## [snapshots] ### external_enabled diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/saml.md b/docs/sources/setup-grafana/configure-security/configure-authentication/saml.md index 3c9a1a6384b..cce17545126 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/saml.md +++ b/docs/sources/setup-grafana/configure-security/configure-authentication/saml.md @@ -407,3 +407,20 @@ The keys you provide should look like: ... -----END PRIVATE KEY----- ``` + +### SAML login attempts fail with request response "origin not allowed" + +When the user logs in using SAML and gets presented with "origin not allowed", the user might be issuing the login from an IdP (identity provider) service or the user is behind a reverse proxy. This potentially happens as Grafana's CSRF checks deem the requests to be invalid. For more information [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery). + +To solve this issue, you can configure either the [`csrf_trusted_origins`]({{< relref "../../configure-grafana/enterprise-configuration/#csrf-trusted-origins" >}}) or [`csrf_origin_headers`]({{< relref "../../configure-grafana/enterprise-configuration/#csrf-origin-headers" >}}) option in the SAML configuration. + +Example of a configuration file: + +```bash +# config.ini +... +[auth.saml] +csrf_trusted_origins = https://grafana.example.com +csrf_origin_headers = X-Forwarded-Proto X-Forwarded-Host X-Forwarded-Port +... +```