Docs: CSRF add configuration options and documentation for additional headers and origins (#50473)

* added troubleshooting for "origin not allowed" messages * include in configuration.ini * moved doc to security * removed enterprise congiruation * Update conf/sample.ini Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
4 years ago · b5615a1a18
parent 9fc889f5f6
commit b5615a1a18
3 changed files with 31 additions and 0 deletions
--- a/conf/sample.ini
+++ b/conf/sample.ini
@ -308,6 +308,12 @@
 # Controls if old angular plugins are supported or not. This will be disabled by default in future release
 ;angular_support_enabled = true

+# List of additional allowed URLs to pass by the CSRF check, separated by spaces. Suggested when authentication comes from an IdP.
+;csrf_trusted_origins = example.com
+
+# List of allowed headers to be set by the user, separated by spaces. Suggested to use for if authentication lives behind reverse proxies.
+;csrf_additional_headers =
+
 [security.encryption]
 # Defines the time-to-live (TTL) for decrypted data encryption keys stored in memory (cache).
 # Please note that small values may cause performance issues due to a high frequency decryption operations.
--- a/docs/sources/setup-grafana/configure-grafana/_index.md
+++ b/docs/sources/setup-grafana/configure-grafana/_index.md
@ -611,6 +611,14 @@ Current core features that will stop working:

 Before we disable angular support by default we plan to migrate these remaining areas to React.

+### csrf_trusted_origins
+
+List of additional allowed URLs to pass by the CSRF check. Suggested when authentication comes from an IdP.
+
+### csrf_additional_headers
+
+List of allowed headers to be set by the user. Suggested to use for if authentication lives behind reverse proxies.
+
 ## [snapshots]

 ### external_enabled
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/saml.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/saml.md
@ -407,3 +407,20 @@ The keys you provide should look like:
 ...
 -----END PRIVATE KEY-----
 ```
+
+### SAML login attempts fail with request response "origin not allowed"
+
+When the user logs in using SAML and gets presented with "origin not allowed", the user might be issuing the login from an IdP (identity provider) service or the user is behind a reverse proxy. This potentially happens as Grafana's CSRF checks deem the requests to be invalid. For more information [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery).
+
+To solve this issue, you can configure either the [`csrf_trusted_origins`]({{< relref "../../configure-grafana/enterprise-configuration/#csrf-trusted-origins" >}}) or [`csrf_origin_headers`]({{< relref "../../configure-grafana/enterprise-configuration/#csrf-origin-headers" >}}) option in the SAML configuration.
+
+Example of a configuration file:
+
+```bash
+# config.ini
+...
+[auth.saml]
+csrf_trusted_origins = https://grafana.example.com
+csrf_origin_headers = X-Forwarded-Proto X-Forwarded-Host X-Forwarded-Port
+...
+```