Authenticating with a Proxy

One way to accomplish single sign-on (SSO) in Humio is by using a reverse proxy in front of Humio. If that proxy has a way of knowing a proper username or user email or other unique user identifier, you can let the proxy decide what username the user gets access as inside Humio.

Make sure Humio is not accessible without passing through the proxy, as direct access to the Humio server in this configuration allows anyone to assume any identity.

Configure using:

AUTHENTICATION_METHOD=byproxy
AUTH_BY_PROXY_HEADER_NAME=name-of-http-header

The proxy must add a header with the username of the end user in the specified header. If the proxy leaves the header blank, the user does not get authenticated, and can thus only access shared dashboards.

Humio uses the “Authentication” header as transport from the browser to the Humio backend. It is thus not possible to use a proxy that also uses this header. This rules out using https://github.com/bitly/oauth2_proxy.