Kibana sso+ keycloak

ravindra · February 11, 2021, 2:27pm

I am trying to do kibana sso with keycloak using opendistro plugin and SAML. iam facing
following
when I hit kibana url it is redirecting to customerror?type=samlConfigError#/

when i inspect in chrome, in console i have error like this

INFO: 2021-02-12T09:33:28Z
Adding connection to http://localhost:5601/elasticsearch

kbn-ui-shared-deps.js:381:106453
Detected an unhandled Promise rejection.
Error: Unauthorized commons.bundle.js:11:3982088
Detected an unhandled Promise rejection.
Error: Unauthorized

my elasticsearch.yml

opendistro_security.ssl.transport.pemcert_filepath: esnode.pem
opendistro_security.ssl.transport.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: esnode.pem
opendistro_security.ssl.http.pemkey_filepath: esnode-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: root-ca.pem
opendistro_security.allow_unsafe_democertificates: true
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:

CN=kirk,OU=client,O=client,L=test, C=de

opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3

mykibana.yml

elasticsearch.hosts:
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: [“securitytenant”,“Authorization”]

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: [“Private”, “Global”]
opendistro_security.readonly_mode.roles: [“kibana_read_only”]
opendistro_security.auth.type: “saml”
server.xsrf.whitelist: [/_opendistro/_security/saml/acs,/_opendistro/_security/saml/acs/idpinitiated,/_opendistro/_security/saml/logout]

my config.yml
_meta:
type: “config”
config_version: 2

config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
saml_auth:
order: 0
description: “SAML provider”
http_enabled: true
transport_enabled: false
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: metadata.xml #SAML’s metadata url, provided by your IdP
entity_id: #SAML’s IdP entity ID, provided by your IdP
sp:
entity_id: kibana-sso
forceAuthn: true
kibana_url: http://localhost:5601
roles_key: Role
exchange_key: e124a508-1e75-4238-b742-1452382f451b
authentication_backend:
type: noop

Anthony · February 15, 2021, 4:46pm

@ravindra both of your authc’s are marked as “challenge: true” but only last one should be true.
Try changing the sequence to basic auth first (challenge false), SAML 2nd (challenge true).

Also does your “#SAML’s IdP entity ID, provided by your IdP” look something like this: http://keycloak/auth/realms/<your_realm>

Topic		Replies	Views
Failed to authenticate anymore to kibana using keycloak as IDP provider and opendistro_serurity plugin Security	1	359	October 26, 2021
No redirect to oidc with security plugin Security	1	655	May 10, 2021
SAML with Keycloak - Error: failed parsing SAML config Security	3	968	June 30, 2021
Keycloak kibana openid 401 Security	2	1254	March 11, 2020
Keycloak SAML kibana authentication not working Security	1	2345	May 10, 2021

Kibana sso+ keycloak

Related topics