How to make the webUI works with the st2 Proxy Auth Mode


(Jimmy0628) #1

I am trying to integrate the webui into our project so I need authenticate users with the SSO, which is not supported by the st2 by default. If I configure the st2 authentication as the Proxy Auth Mode, then the authetication can performed on the webUI, and get the token from the st2.

Has anyone tried this method? Thanks

(Tomaz Muraus) #2

After more digging in, it turns out current code is indeed correct - Fix "proxy" authentication mode by Kami · Pull Request #4224 · StackStorm/st2 · GitHub

The only thing which needs updating is documentation. “REMOTE_ADDR” and “REMOTE_USER” values should come in as a CGI environment variable and not as header values.

In some scenarios, it might also make sense to allow proxy to pass those values as a header, but this is harder to do correctly and has more safety risk - you would need to configure proxy which sits before st2auth and handle authentication to always set those two headers and to make sure user can’t directly overwrite those headers.

I updated documentation in Clarify remote_user and remote_addr need to come in as a CGI environment variable by Kami · Pull Request #761 · StackStorm/st2docs · GitHub to clarify that.