Auth0 SAML Integration With Kibana

Security
1

Hello:

Has anyone integrated Kibana successfully with Auth0 as SAML identity provider? I have been struggling with this and hope someone has already gotten this working.

Auth0 has what seems to be a straightforward guide here, and I have followed the instructions, but I keep getting the typical SAML config error screen when accessing the Kibana landing page.

I should add that I am using the Helm chart for Kubernetes deployment and adding a config.yml to the values.yaml file.

Any help is appreciated.

Thanks.

2

@jason10 I got Auth0 working using below configuration (tested with odfe versions 1.9-1.13):
config.yml

basic_internal_auth_domain:
    description: "Authenticate via HTTP Basic against internal users database"
    http_enabled: true
    transport_enabled: true
    order: 0
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      type: intern
  saml_auth_domain:
    http_enabled: true
    transport_enabled: true
    order: 1
    http_authenticator:
      type: saml
      challenge: true
      config:
        idp:
          metadata_url: https://dev-....eu.auth0.com/samlp/metadata/V1jh3...
          entity_id: "urn:dev-....eu.auth0.com"
        sp:
          entity_id: "http://localhost"
        kibana_url: "http://localhost:5601"
        roles_key: "roles"
        exchange_key: '12345678901234567890123456789012'
    authentication_backend:
      type: noop

kibana.yml

server.name: kibana
server.host: "0"
elasticsearch.hosts: https://localhost:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]
opendistro_security.cookie.secure: false
opendistro_security.auth.type: "saml"
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]

Hope this helps

3

Hi @Anthony i did as what you said and got the internal server error from OpenSearch-Dashboard. Can you please help? (I am doing with OpenSearch, not Kibana)

{“statusCode”:500,“error”:“Internal Server Error”,“message”:“Internal Error”}

image
image1298×339 27.4 KB

4

@AvianDo Can you share your opensearch_dashboards.yml, config.yml and opensearch.yml (redact any sensitive info please)

Also, can you confirm which opensearch image you are using, opensearchproject/opensearch:latest or 1.0.0?

5

Hi @Anthony
Here is the OpenSearch.yml

image
image1230×581 18.1 KB

Here is the OpenSearch-Dashboard.yml

image
image1199×553 15.6 KB

And here is the config file :

image
image941×584 13.4 KB

The image i used is : 1.0.0

6

@AvianDo
Can you please update the auth section as per below:

basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: intern
      saml_auth:
        http_enabled: true
        transport_enabled: true
        order: 2
        http_authenticator:
          type: saml
          challenge: true
          ..etc...
7

@Anthony i did as you show but the same issue still there.
So, what can i do next?

8

Issue is now resolved.

Couple of things to watch out for if anyone is having similar issues:

  1. Set basic auth first order, with challenge flag set to false.
  2. If using docker, make sure to run docker-compose down -v for fresh instance, otherwise the config will be saved in volumes and cause confusion.
  3. Keep an eye in http vs https, opensearch Dashboards can talk to ES via https, this doesn’t mean that Dashboards is server via https.
    Communication with ES is set up in opensearch_dashboards.yml with line:
    opensearch.hosts: [“https://localhost:9200”]
    If dashboards are server via http or https is determines in same file with lines:

server.ssl.enabled: true/false (default false)
server.ssl.key: path/to/key
server.ssl.certificate: path/to/certificate