Hi, i am currently using opendistro 0.10.0 for both elasticsearch and kibana, in a dockerized environment.
I am currently trying to configure SSO among keycloak using the security plugin provided.
Currently elasticsearch is correctly protected and working passing a valid JWT taken from keycloak.
The problem is that kibana is not making a redirect to keylock for authentication, but only showing
Authentication failed
Please provide a new token.
I will atach my configuration, implemented as explained on official doc.
config.yml (elasticsearch)
opendistro_security:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
remoteIpHeader: 'x-forwarded-for'
proxiesHeader: 'x-forwarded-by'
authc:
basic_internal_auth_domain:
enabled: true
order: 0
http_enabled: true
transport_enabled: true
http_authenticator:
type: "basic"
challenge: false
authentication_backend:
type: "internal"
openid_auth_domain:
order: 1
enabled: true
http_enabled: true
transport_enabled: true
http_authenticator:
type: openid
challenge: false
config:
openid_connect_url: http://keycloak:8082/auth/realms/master/.well-known/openid-configuration
subject_key: preferred_username
roles_key: roles
authentication_backend:
type: noop
authz: {}
kibana.yml
server.name: kibana
server.host: "0"
elasticsearch.url: https://localhost:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.username: "kibanaserver"
elasticsearch.password: "kibanaserver"
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]
opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: "http://localhost:8082/auth/realms/master/.well-known/openid-configuration" # This is keycloak
opendistro_security.openid.client_id: "app-kibana"
opendistro_security.openid.client_secret: "..."
Thanks,
Raffaele