Docs: CSRF add configuration options and documentation for additional headers and origins (#50473)

* added troubleshooting for "origin not allowed" messages * include in configuration.ini * moved doc to security * removed enterprise congiruation * Update conf/sample.ini Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com> Co-authored-by: Emil Tullstedt <emil.tullstedt@grafana.com>
2025-07-28 15:02:26 +08:00 · 2022-06-09 09:13:08 +02:00
parent 9fc889f5f6
commit b5615a1a18
3 changed files with 31 additions and 0 deletions
--- a/docs/sources/setup-grafana/configure-security/configure-authentication/saml.md
+++ b/docs/sources/setup-grafana/configure-security/configure-authentication/saml.md
@ -407,3 +407,20 @@ The keys you provide should look like:
 ...
 -----END PRIVATE KEY-----
 ```
+
+### SAML login attempts fail with request response "origin not allowed"
+
+When the user logs in using SAML and gets presented with "origin not allowed", the user might be issuing the login from an IdP (identity provider) service or the user is behind a reverse proxy. This potentially happens as Grafana's CSRF checks deem the requests to be invalid. For more information [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery).
+
+To solve this issue, you can configure either the [`csrf_trusted_origins`]({{< relref "../../configure-grafana/enterprise-configuration/#csrf-trusted-origins" >}}) or [`csrf_origin_headers`]({{< relref "../../configure-grafana/enterprise-configuration/#csrf-origin-headers" >}}) option in the SAML configuration.
+
+Example of a configuration file:
+
+```bash
+# config.ini
+...
+[auth.saml]
+csrf_trusted_origins = https://grafana.example.com
+csrf_origin_headers = X-Forwarded-Proto X-Forwarded-Host X-Forwarded-Port
+...
+```