Kibana OIDC Okta Integration redirecting straight to ${KIBANA_URL}/auth/openid/login with 401

Security
1

I’m trying to integrate open distro ELK with OpenID Connect by following the guide here (OpenID Connect - Open Distro Documentation), specifically by updating the kibana.yml and config.yml files as shown.

The behavior I’m seeing is:

  1. Visit ${KIBANA_URL}
  2. Get redirected straight to ${KIBANA_URL}/auth/openid/login with 401

I’m checking the network requests, and I’m not sure why it’s not redirecting to the IDP (Okta) first. What should I check next?

config.yml authc:

"basic_internal_auth_domain":
              "authentication_backend":
                "type": "internal"
              "description": "Authenticate via HTTP Basic against internal users database"
              "http_authenticator":
                "challenge": false
                "type": "basic"
              "http_enabled": true
              "order": 2
              "transport_enabled": true
            "clientcert_auth_domain":
              "authentication_backend":
                "type": "noop"
              "description": "Authenticate via SSL client certificates"
              "http_authenticator":
                "challenge": false
                "config":
                  "username_attribute": "cn"
                "type": "clientcert"
              "http_enabled": true
              "order": 1
              "transport_enabled": true
            "openid_auth_domain":
              "authentication_backend":
                "type": "noop"
              "http_authenticator":
                "challenge": false
                "config":
                  "openid_connect_url": "{IDP}/.well-known/openid-configuration"
                  "roles_key": "roles"
                  "subject_key": "preferred_username"
                "type": "openid"
              "http_enabled": true
              "order": 3
              "transport_enabled": true
          "http":
            "anonymous_auth_enabled": false
          "kibana":
            "server_username": ${SERVER_USERNAME}

kibana.yml snippet:

 "opendistro_security.openid.base_redirect_url": "${KIBANA_URL}"
      "opendistro_security.openid.client_id": "${CLIENT_ID}"
      "opendistro_security.openid.client_secret": "{CLIENT_SECRET}"
      "opendistro_security.openid.connect_url": "${IDP}/.well-known/openid-configuration"
2

I believe we use certs instead of username/password for itnernal kibana user as shown in the docs:

# Use HTTPS instead of HTTP
elasticsearch.url: "https://<hostname>.com:<http port>"

# Configure the Kibana internal server user
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"

# Disable SSL verification when using self-signed demo certificates
elasticsearch.ssl.verificationMode: none
3

@curlyfries
I cannot see anything wrong with your configuration files, can you configm which version of odfe you are using?

Can you increase the logging in kibana.yml with logging.verbose: true
and paste any errors here.

Also can you provide your complete kibana.yml, elasticsearch.yml and config.yml

Please redact any sensitive info

You can PM these to me directly