Hi All,
i’m trying to integrate pindID idp provider as openid connect SSO for opendistro?
does anyone have any idea about implementation and make it working?
How different would it be than using any other IDP, like Keycloak?
Thanks for your response @lmit. i was able to fix the issue with my configuration for Kibana.
now i am to proceed with my idp for Kibana. now i wanted to concentrate on elasticsearch to work in same way with pingID. do you have configuration settings for elasticsearch? i mean where can we setup client_id & client secret, etc…
Hi Manz, The documentation is pretty good about that part
https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/openid-connect/
and
But you can also check out this thread where Kibana configuration with that info is shared
this is helpful. and my question was about client-id and client secret values for elasticsearch (the way we configure it in kibana.yml for kibana). in the above documents i dont find them. so dont we need those values for elasticsearh?
Correct, you don’t need to specify client-id and client secret values in your Elasticsearch config. ONly in your Kibana configuration, which Elasticsearch will use to decode the JWTs Tokens from the specified “openid_connect_url” configuration
As the documentation sais right here;
OpenID Connect
The Security plugin can integrate with identify providers that use the OpenID Connect standard. This feature enables the following:
Automatic configuration Point the Security plugin to the metadata of your identity provider (IdP), and the Security plugin uses that data for configuration. Automatic key fetching The Security plugin automatically retrieves the public key for validating the JSON web tokens (JWTs) from the JSON web key set (JWKS) endpoint of your IdP. You don’t have to configure keys or shared secrets in config.yml. Key rollover You can change the keys used for signing the JWTs directly in your IdP. If the Security plugin detects an unknown key, it tries to retrieve it from the IdP. This rollover is transparent to the user. Kibana single sign-on
https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/openid-connect/
Here is my working config.yml file
---
_meta:
type: "config"
config_version: 2
config:
dynamic:
do_not_fail_on_forbidden: true
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
openid_auth_domain:
description: "Authenticate via Keycloak Identity Provider"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: "https://my.IDP.com:8443/auth/realms/myrealm/.well-known/openid-configuration"
jwks_uri: "https://my.IDP.com:8443/auth/realms/myrealm/protocol/openid-connect/certs"
enable_ssl_client_auth: true
pemkey_filepath: "/etc/elasticsearch/ssl/my.domain.com.key"
pemcert_filepath: "/etc/elasticsearch/ssl/my.domain.com.crt"
pemtrustedcas_filepath: "/etc/elasticsearch/ssl/my.domain.com.ca.crt"
enable_ssl: true
verify_hostnames: true
authentication_backend:
type: noop
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
type: kerberos
challenge: true
config:
krb_debug: false
strip_realm_from_principal: true
authentication_backend:
type: noop
proxy_auth_domain:
description: "Authenticate via proxy"
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: proxy
challenge: false
config:
user_header: "x-proxy-user"
roles_header: "x-proxy-roles"
authentication_backend:
type: noop
jwt_auth_domain:
description: "Authenticate via Json Web Token"
http_enabled: false
transport_enabled: false
order: 4
http_authenticator:
type: jwt
challenge: false
config:
signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
jwt_header: "Authorization"
jwt_url_parameter: null
roles_key: null
subject_key: null
authentication_backend:
type: noop
clientcert_auth_domain:
description: "Authenticate via SSL client certificates"
http_enabled: false
transport_enabled: false
order: 5
http_authenticator:
type: clientcert
config:
username_attribute: cn #optional, if omitted DN becomes username
challenge: false
authentication_backend:
type: noop
ldap:
description: "Authenticate via LDAP or Active Directory"
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
userbase: 'ou=people,dc=example,dc=com'
usersearch: '(sAMAccountName={0})'
username_attribute: null
authz:
roles_from_myldap:
description: "Authorize via LDAP or Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap
config:
# enable ldaps
enable_ssl: false
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
hosts:
- localhost:8389
bind_dn: null
password: null
rolebase: 'ou=groups,dc=example,dc=com'
rolesearch: '(member={0})'
userroleattribute: null
userrolename: disabled
rolename: cn
resolve_nested_roles: true
userbase: 'ou=people,dc=example,dc=com'
usersearch: '(uid={0})'
roles_from_another_ldap:
description: "Authorize via another Active Directory"
http_enabled: false
transport_enabled: false
authorization_backend:
type: ldap
Thanks for the complete details Mitchell.
now i’m trying to integrate only Kibana working with my IDP as openID provider. And that is also working perfectly with below conifguration.
and where as in mycase i wanted to use only BASIC auth for elasticsearch side (with same below conifguration), then it is failing with 401 Unauthorized error. But when i setup basic auth challenge to TRUE then elasticsearch will work with basic auth, where as kibana with openID connection doesn’t work. How can i make this both working for me?
--
_meta:
type: "config"
config_version: 2
config:
dynamic:
do_not_fail_on_forbidden: true
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
openid_auth_domain:
description: "Authenticate via openid Identity Provider"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
openid_connect_url: "https://XXXXXXXXXX/.well-known/openid-configuration"
authentication_backend:
type: noop
Hi Manz, I have read over your message and I admit that I just don’t understand what you are trying to do??
Fundamentally, Kibana and Elasticsearch are front-end and back-end of THE SAME SYSTEM, so they must both work together for basic auth, or basic auth + openID. You have to choose. You cannot have one for Kibana and another combination for Elasticsearch.
As the documentation states, its probably a better idea to have basic auth + openID, so your local accounts for back-end (non-openId) operations to work, like logstash and beats. Otherwise, I’m not sure how you will populate tor ELK stack with data, while using your openID for your users to authenticate and view your data from the front-end.
Any other use-case ans I can’t help you as that was not my intentional workflow when setting up my cluster.
Regards
i think you are right. in mycase i use openID auth for Kibana(front-end) and for Elasticsearch i use Basic auth (back-end).
right now what’s happening with my above configuration is- if i set basic auth order to “0” then only i will get challenged with basic auth login form and authentication will be success. then Kibana also challenge me with login page but authentication will fail with “No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’”
in the same way if i set openID order to “0” then kibana authentication will success, but ES will not challenge me with login page (i get the same above 401 error). whereas i can send the cURL/postman (any restclient) requests to elasticsearch and will get the pro[er response.
what i mean to say is that "the auth domain which is having the order as “0” that will get succeds and the other will fail. may be this is the right behavior with OSS current security code and may be my above scenario is wrong.
i’m just looking for to get challenge with basic auth login page in mycase… any suggestions/help on this would be much appreciated!
Hi @lmit, Thier documentation clear says that “client can’t challenge 2 different authentication methods”. i mean in my case openid + basic.
# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert"
# first and the challenging one last.
# Because it's not possible to challenge a client with two different authentication methods (for example
# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation
# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request.
Hi manz, once I enabled openID at order “1” and basic at order “0”.
I was NEVER able to get to the basic login page for ANY front-end authentication…I tried different URLs to get the login page, but I suspect that local login page is now disabled.
ALL front-end authentication will be openID. So I made sure I have a role configured to give me Admin access using front-end login.
For back-end services, then I could use the local accounts setup in Elasticsearch, but those will only work through API calls.
I don’t think there are any fine-grained front-end authentication methods available for open-distro
Thanks @lmit for more details.
Hi Mitchell,
For some reason i have to use initial version of ES & Kibana 6.5.4 Versions and security plugin version is 0.7.0.1. and i’m trying to integrate openID connect, but from the Kibana side i’m getting error like below. (Authentication failed…Please provide a new token.)
below is my Kibana configuration:
opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: "https://XXXXXXX/.well-known/openid-configuration"
opendistro_security.openid.client_id: "XXXXXXXXX"
opendistro_security.openid.client_secret: "XXXXXXXXX"
opendistro_security.openid.scope: "openid"
opendistro_security.openid.base_redirect_url: "http://XXXXXXX:5601"
logging.verbose: true
my config is having:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
openid_auth_domain:
description: "my openid provider"
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: "https://XXXXXXXXX/.well-known/openid-configuration"
authentication_backend:
type: noop
and from elasticsearch side i get this error, i’m not sure what i’m doing wrong here.
[2020-02-27T16:41:00,755][WARN ][o.a.c.r.s.j.j.JwsUtils ] [somenode] No signature algorithm was defined
[2020-02-27T16:41:00,755][WARN ][o.a.c.r.s.j.j.JwsUtils ] [somenode]
'org.apache.cxf.rs.security.jose.jws.JwsException: ALGORITHM_NOT_SET' extracting credentials from jwt-key-by-oidc http authenticator
org.apache.cxf.rs.security.jose.jws.JwsException: ALGORITHM_NOT_SET
any help on this would be much appreciated. thanks!
1 Like
i was able to resolve this issue with help of as described in Set Algorithm for JWK (RSA) if not set by MichelZ · Pull Request #11 · opendistro-for-elasticsearch/deprecated-security-advanced-modules · GitHub
Thanks!
Hi, Manz,
can I ask you how you solved this problem? I set keycloak and I’m trying to make everything work locally but it can’t authenticate itself by giving the same error you seem to have solved.
My configuration files are here
Hello,
I also get the error message “Authetication failed Please provide e new token.”
Can you explain, how / what you configured in Keycloak?
In our test environment I don’t use SSL, only HTTP connections.
May be this is a problem (certificates are necessary for somewhat)?
Is it necessary to edit the internal_users.yml or can I create users with Kibana (openid disabled to do this)?
What about scopes?
Sorry a lot of questions.
best regards