Protecting SSRS

1. Caddy version (caddy version):

Caddy V2

2. How I run Caddy:

a. System environment:

Running on Windows Server 2016

b. Command:

caddy run

c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

} {   
	tls email {
        dns cloudflare API Key	
	log {
		output file c:\caddy\logs\ssrs_access.log {
			roll true				# Rotate logs, enabled by default
			roll_size_mb 10	        # Set max size X MB
			roll_gzip true		    # Whether to compress rolled files
			roll_local_time true    # Use localhost time
			roll_keep 3		        # Keep at most X log files
			roll_keep_days 7		# Keep log files for X days 
	encode gzip
	route /auth* {
		authp {					
			backends {
				azure_saml_backend {
					method saml
					realm azure
					provider azure
					idp_metadata_location c:\caddy\certs\ssrs.xml
					idp_sign_cert_location c:\caddy\certs\ssrs.cer
					tenant_id "Tenant ID"
					application_id "App ID"
					application_name "SSRS"
					entity_id "urn:caddy:ssrs"
			ui {				
                links {
				"Reports Viewer" /reports
	route /reports* {
		jwt {
			primary yes			
			set auth url /auth
			allow roles SSRS_Management SSRS_Sales
		reverse_proxy http://localhost:8080
	route {
    redir https://{hostport}/auth 302

3. The problem I’m having:

The SAML auth and revers proxy into SSRS is working just fine. The issue I’m having is figuring out how to pass the user/groups from my SAML login into SSRS so the user is not having to login with SAML and then type in windows auth in order to login.

Anyone have any idea on how I would accomplish this?

4. Error messages and/or full log output:

I’m also receiving this in my logs

2021/10/06 22:40:02.804 ERROR http.handlers.authentication auth provider returned error {“provider”: “jwt”, “error”: “no token found”}

5. What I already tried:

6. Links to relevant resources:

/cc @greenpau

@ReverseProxy101 , are you sure you compiled caddy with the right “jwt” plugin? What are the auth plugin versions?

The auth is working. I can login via SAML. However, SSRS has windows auth enabled for seperate groups for reports. Is there a way to match or pass the logged in user from JWT to the windows auth of SSRS.

@ReverseProxy101 , please open an issue in GitHub - greenpau/caddy-authorize: Authorization Plugin for Caddy v2 (JWT/PASETO)

Sounds like you need to pass user identity to the proxied SSRS. Correct?

What confuses me is the reference to an error. I don’t understand how it fits.

Let’s skip that error and worry about passing the user identity.

ok, I will open the issue on github

This topic was automatically closed after 30 days. New replies are no longer allowed.