Skip to content

Entra SSO - Alertmanager OK not Alerting #1225

Open
Open
Entra SSO - Alertmanager OK not Alerting#1225
@lunachocken

Description

@lunachocken
lunachocken
opened on May 12, 2026

Description

SSO protected endpoint via Entra for alertmanager does not trigger authentication and instead returns OK.

Reproducing setup

  • Envoy Gateway on ingress
  • Httproute for grafana.xxx.yyy.zzz with path /alertmanager (/alertmanager redirects to alertmanager pod not Grafana)
  • OIDC security policy on httproute with redirect for SSO
  • Organisation Microsoft Entra as the SSO issuer

Steps to reproduce

  1. Set monitor type to "Alertmanager"
  2. Set authentication to "web"
  3. Set url to https://grafana.xxx.yyy.zzz/alertmanager
  4. Confirm settings
  5. Observe "OK"

Expected behaviour

  1. Nagstamon triggers popup requesting authentication
  2. Login to https://login.microsoftonline.com/
  3. Close window
  4. Several alerts appear

Actual behaviour

  1. Upon configuring and setting configs. A simple "OK" is present, no request for authentication, and doesn't actually get past the SSO.

Environment

OS:

NAME="Nobara Linux"
VERSION="43 (KDE Plasma Desktop Edition)"

Environment: distrobox with image: fedora-toolbox

  • Nagstamon: nagstamon.noarch 3.19.20260508-1 nagstamon-latest

Reflection

I assume the error is due to microsoft's page returning a 200 status, which nagstamon assumes is fine.
On using mitmproxy to change the status code to 401 instead, this triggers nagstamon to require authentication and resolves the issue.

from mitmproxy import http

def response(flow: http.HTTPFlow):
    # 1. Check if the host matches Microsoft Login
    if "login.microsoftonline.com" in flow.request.pretty_host:

        # 2. Check if the path contains /oauth
        if "<tenant-id>/oauth2/v2.0/authorize?" in flow.request.path:

            # 3. Change 200 OK to 401 Unauthorized
            if flow.response.status_code == 200:
                flow.response.status_code = 401
                #flow.response.reason = "Unauthorized"
                #flow.response.text = "Access Denied: Microsoft Login Intercepted"

                print(f"DEBUG: Intercepted {flow.request.url} - Forced 401")

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions