Error in Auth with SAML using Authentik

Security
,
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

Wazuh 4.9.0 using docker compose

Describe the issue:

I have a docker compose setup using Traefik for a reverse proxy and Authentik for
identity.
I have it working without problem using the basic auth and can log in.

I can log in using basicauth with out problem but when I hit the SSO (SAML) button
I get an internal error:

{
  "statusCode": 500,
  "error": "Internal Server Error",
  "message": "Internal Error"
}

From the logs (see below)
“Failed to get saml header: Authentication Exception :: {"path":"/_plugins/_security/authinfo","query":{},"statusCode":401,"response":"Authentication finally failed"}”

Configuration:

The dashboard config is set up as:

opensearch_security.auth.type: ["basicauth","saml"]
opensearch_security.auth.multiple_auth_enabled: true
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false

The security config.yml authc section is:

  authc:
      kerberos_auth_domain:
        http_enabled: false
        transport_enabled: false
        order: 6
        http_authenticator:
          type: kerberos
          challenge: true
          config:
            # If true a lot of kerberos/security related debugging output will be logged to standard out
            krb_debug: false
            # If true then the realm will be stripped from the user name
            strip_realm_from_principal: true
        authentication_backend:
          type: noop
      basic_internal_auth_domain:
        description: "Authenticate SAML against internal users database"
        http_enabled: true
        transport_enabled: true 
        order: 0
        http_authenticator:
          type: basic 
          challenge: false
        authentication_backend:
          type: intern 
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml 
          challenge: true
          config: 
            idp:
              metadata_file: "wazuh-saml_authentik_meta.xml"
                #metadata_file: "/usr/share/wazuh-indexer/opensearch-security/wazuh-saml_authentik_meta.xml"
              entity_id: "wazuh-saml"
            sp:
              entity_id: "wazuh-saml"
            kibana_url: "https://wazuh.augusta-2.rhsys.co/"
            roles_key: Roles
            exchange_key: |
              MIIE4zCCAsugAwIBAgIQN8VNcsVnTGek3AwlZ6Ca+TANBgkqhkiG9w0BAQsFADAd
              MRswGQYDVQQDDBJhdXRoZW50aWsgMjAyNC44LjIwHhcNMjQxMDAzMTYxMzA5WhcN
              MjYxMDA0MTYxMzA5WjA+MRIwEAYDVQQDDAlTQU1MIENlcnQxEjAQBgNVBAoMCWF1
              dGhlbnRpazEUMBIGA1UECwwLU2VsZi1zaWduZWQwggIiMA0GCSqGSIb3DQEBAQUA
MIDDLE REMOVED FOR SECURITY
              ibZ4gqXIOofiJOobYpmqCu/TJhILgs50WCWI4gwp29GXbw90Qd90Bg0N2aX2AA7L
              nlgDa3IlM+ITC50pd9bPOThbcaOzfKNZAg1DdvUbfCMi2BqDaAb99OUz7IV6pJ+i
              wBe5GqLZqFAAZktYyX3iqzQt2uF9d8NSgaA8Nt6IixnMc+9BSxZDqd6sDU5hUtTL
              NAzEaUhYXxBIOGD0tHhpqoLJFPTSbLWUNyNy/xVv9BxOLGDUsX8r9k0vpSmP71oD
              C2sQcroWkA==
        authentication_backend:
          type: noop
      proxy_auth_domain:
        description: "Authenticate via proxy"
        http_enabled: false
        transport_enabled: false
        order: 3
        http_authenticator:
          type: proxy
          challenge: false
          config:
            user_header: "x-proxy-user"
            roles_header: "x-proxy-roles"
        authentication_backend:
          type: noop
      jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: false
        transport_enabled: false
        order: 0
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
            jwt_header: "Authorization"
            jwt_url_parameter: null
            jwt_clock_skew_tolerance_seconds: 30
            roles_key: null
            subject_key: null
        authentication_backend:
          type: noop
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates"
        http_enabled: false
        transport_enabled: false
        order: 2
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn #optional, if omitted DN becomes username
          challenge: false
        authentication_backend:
          type: noop
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: false
        transport_enabled: false
        order: 5
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
            - localhost:8389
            bind_dn: null
            password: null
            userbase: 'ou=people,dc=example,dc=com'
            # Filter to search for users (currently in the whole subtree beneath userbase)
            # {0} is substituted with the username
            usersearch: '(sAMAccountName={0})'
            # Use this attribute from the user as username (if not set then DN is used)
            username_attribute: null

Relevant Logs or Screenshots:

The docker logs show


wazuh.dashboard-1  | {"type":"response","@timestamp":"2024-10-08T13:24:58Z","tags":[],"pid":54,"method":"get","statusCode":200,"req":{"url":"/auth/saml/captureUrlFragment?nextUrl=%2F","method":"get","headers":{"host":"wazuh.augusta
-2.rhsys.co","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;
q=0.8","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.5","priority":"u=0, i","sec-ch-ua":"\"Brave\";v=\"129\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"129\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platfor
m":"\"Linux\"","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"same-origin","sec-fetch-user":"?1","sec-gpc":"1","upgrade-insecure-requests":"1","x-forwarded-for":"75.63.123.147","x-forwarded-host":"wazuh.a
ugusta-2.rhsys.co","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-server":"7eec43a59ce3","x-real-ip":"75.63.123.147"},"remoteAddress":"172.20.0.1","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (
KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"},"res":{"statusCode":200,"responseTime":4,"contentLength":9},"message":"GET /auth/saml/captureUrlFragment?nextUrl=%2F 200 4ms - 9.0B"}
wazuh.dashboard-1  | {"type":"response","@timestamp":"2024-10-08T13:24:58Z","tags":[],"pid":54,"method":"get","statusCode":200,"req":{"url":"/auth/saml/captureUrlFragment.js","method":"get","headers":{"host":"wazuh.augusta-2.rhsys.
co","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36","accept":"*/*","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.5","priority":"u=1"
,"referer":"https://wazuh.augusta-2.rhsys.co/auth/saml/captureUrlFragment?nextUrl=%2F","sec-ch-ua":"\"Brave\";v=\"129\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"129\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Linux\"","sec
-fetch-dest":"script","sec-fetch-mode":"no-cors","sec-fetch-site":"same-origin","sec-gpc":"1","x-forwarded-for":"75.63.123.147","x-forwarded-host":"wazuh.augusta-2.rhsys.co","x-forwarded-port":"443","x-forwarded-proto":"https","x-f
orwarded-server":"7eec43a59ce3","x-real-ip":"75.63.123.147"},"remoteAddress":"172.20.0.1","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36","referer":"https://wazuh.
augusta-2.rhsys.co/auth/saml/captureUrlFragment?nextUrl=%2F"},"res":{"statusCode":200,"responseTime":3,"contentLength":9},"message":"GET /auth/saml/captureUrlFragment.js 200 3ms - 9.0B"}
wazuh.indexer-1    | [2024-10-08T13:24:58,147][WARN ][o.o.s.a.BackendRegistry  ] [wazuh.indexer] Authentication finally failed for null from 172.20.0.4:37170
wazuh.dashboard-1  | {"type":"log","@timestamp":"2024-10-08T13:24:58Z","tags":["error","plugins","securityDashboards"],"pid":54,"message":"Failed to get saml header: Authentication Exception :: {\"path\":\"/_plugins/_security/authi
nfo\",\"query\":{},\"statusCode\":401,\"response\":\"Authentication finally failed\"}"}
wazuh.dashboard-1  | {"type":"error","@timestamp":"2024-10-08T13:24:58Z","tags":[],"pid":54,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n    at HapiResponseAdapter
.toError (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:127:19)\n    at HapiResponseAdapter.toHapiResponse (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:83:19)\n    at Hapi
ResponseAdapter.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/response_adapter.js:79:17)\n    at Router.handle (/usr/share/wazuh-dashboard/src/core/server/http/router/router.js:175:34)\n    at processTicksAndReject
ions (node:internal/process/task_queues:95:5)\n    at handler (/usr/share/wazuh-dashboard/src/core/server/http/router/router.js:140:50)\n    at exports.Manager.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/toolkit
.js:60:28)\n    at Object.internals.handler (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/handler.js:46:20)\n    at exports.execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/handler.js:31:20)\n    at Request
._lifecycle (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:371:32)\n    at Request._execute (/usr/share/wazuh-dashboard/node_modules/@hapi/hapi/lib/request.js:281:9)"},"url":"https://wazuh.augusta-2.rhsys.co/aut
h/saml/login?nextUrl=%2F&redirectHash=false","message":"Internal Server Error"}
wazuh.dashboard-1  | {"type":"response","@timestamp":"2024-10-08T13:24:58Z","tags":[],"pid":54,"method":"get","statusCode":500,"req":{"url":"/auth/saml/login?nextUrl=%2F&redirectHash=false","method":"get","headers":{"host":"wazuh.a
ugusta-2.rhsys.co","user-agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apn
g,*/*;q=0.8","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.5","priority":"u=0, i","referer":"https://wazuh.augusta-2.rhsys.co/auth/saml/captureUrlFragment?nextUrl=%2F","sec-ch-ua":"\"Brave\";v=\"129\",
 \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"129\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Linux\"","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"same-origin","sec-gpc":"1","upgrade-insecure-reque
sts":"1","x-forwarded-for":"75.63.123.147","x-forwarded-host":"wazuh.augusta-2.rhsys.co","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-server":"7eec43a59ce3","x-real-ip":"75.63.123.147"},"remoteAddress":"172.20.
0.1","userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36","referer":"https://wazuh.augusta-2.rhsys.co/auth/saml/captureUrlFragment?nextUrl=%2F"},"res":{"statusCode":500
,"responseTime":18,"contentLength":9},"message":"GET /auth/saml/login?nextUrl=%2F&redirectHash=false 500 18ms - 9.0B"}
2

Hi @pwd,

Could you also share your opensearch.yml so I can get a better picture of your setup?

Thanks,
mj

3

This is part of a Wazuh setup the opensearch.yml file (for the “indexer” or
main opensarch container is:

network.host: "0.0.0.0"
node.name: "wazuh.indexer"
path.data: /var/lib/wazuh-indexer
path.logs: /var/log/wazuh-indexer
discovery.type: single-node
http.port: 9200-9299
transport.tcp.port: 9300-9399
compatibility.override_main_response_version: true
plugins.security.ssl.http.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
plugins.security.ssl.http.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
plugins.security.ssl.http.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.transport.pemcert_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.pem
plugins.security.ssl.transport.pemkey_filepath: /usr/share/wazuh-indexer/certs/wazuh.indexer.key
plugins.security.ssl.transport.pemtrustedcas_filepath: /usr/share/wazuh-indexer/certs/root-ca.pem
plugins.security.ssl.http.enabled: true
plugins.security.ssl.transport.enforce_hostname_verification: false
plugins.security.ssl.transport.resolve_hostname: false
plugins.security.authcz.admin_dn:
- "CN=admin,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.check_snapshot_restore_write_privileges: true
plugins.security.enable_snapshot_restore_privilege: true
plugins.security.nodes_dn:
- "CN=wazuh.indexer,OU=Wazuh,O=Wazuh,L=California,C=US"
plugins.security.restapi.roles_enabled:
- "all_access"
- "security_rest_api_access"
plugins.security.system_indices.enabled: true
plugins.security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detect
ion-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opensearch-observability", ".opendistro-asynchronous-search-response*", ".replication-metadata-store"]
plugins.security.allow_default_init_securityindex: true
cluster.routing.allocation.disk.threshold_enabled: false
4

@pwd, before diving deeper, have you seen this related to the Wazuh and error 501: Security_authentication cookie failure [wazuh-opensearch] - #2 by Mantas

best,
mj

5

I don’t have another OpenSearch running just the one used by Wazuh, I had not seen this
article but don’t have the condition.

6

I have tried three different ways to get the meta-data on SAML into OpenSearch

config:
            idp:
              #metadata_file: "wazuh-saml_authentik_meta.xml"
              #metadata_file: "/usr/share/wazuh-indexer/wazuh-saml_authentik_meta.xml"
              metadata_url: "https://auth.augusta-2.rhsys.co/api/v3/providers/saml/3/metadata/?download"
              entity_id: "wazuh-saml"

None of them work (several others with the same error said that they fixed the
problem by switching how they got the metadata.

7

I have found the following in the logs:

wazuh.indexer-1    | [2024-10-09T17:17:52,655][ERROR][c.a.d.a.h.s.HTTPSamlAuthenticator] [wazuh.indexer] Error creating HTTPSamlAuthenticator. SAML authentication will not work
wazuh.indexer-1    | java.lang.IllegalArgumentException: Illegal base64 character 2b

I assume that this is the source of the error but don’t know what to do about it.

8

In all of the base 64 configurations (in the opensearch.yml and in the saml-meta.xml files)
I changed to the other base64 (- for + and _ for /) and still the same error.

9

One more thing to check here is if the headers are not too large: SAML - OpenSearch Documentation

You can test by increasing the http.max_header_size value in the opensearch.yml file.

best,
mj

10

Both places I tried to put in the max_header_size gave configuration errors.
Also I am getting a bad base64 not a size error.

I am going to try an openid connect SSO setup and see if I can get that working

11

I found the problem.

The instructions I had where for an earlier version of the indexer (OpenSearch)
as of Wazuh 4.9 see the following Troubleshooting - Upgrade guide · Wazuh documentation

1 Like
12

@pwd, that is good to know. Thanks for sharing.