OpenID Configuration Problems

Security
1

Hello,

I’m trying to setup OpenID integration. Visiting my application’s site: https://es-odfe.company.ch the following occurs:

  1. As expected, it is getting redirected to: https://auth.company.ch/auth/realms/company/protocol/openid-connect/auth?response_type=code&scope=openid&client_id=ites_odfe&state=GfHKZhreiLASPPK-T-4TvWKbASw&redirect_uri=https%3A%2F%2Fes-odfe.company.ch%2Fredirect_uri&nonce=q3BqB9fn5PUwGbl6xAa2an-jVfRDR8rUpNqJoo1PghU

  2. After I successfully login, it is redirected to: https://es-odfe.company.ch/auth/openid/login?state=Vho1dF8owpE73xbyIsxJ2e&session_state=004d595d-4b17-47d4-b203-5a8a226420ad&code=19598e04-2fc6-4662-81d6-bdb2bf17cc23.004d595d-4b17-47d4a-b203-5a8a226420ad.9e88e343-d2e9-49d3-9196-b9041e025984

with a message of:

Not Found

The requested URL /auth/openid/login was not found on this server

Whatever I set on opendistro_security.openid.base_redirect_url, it appends /auth/openid/login endpoint and tries to connect there, as shown on the url of step 2. Not sure what this endpoint is and why it is getting redirected there. Note that Kibana is behind reverse proxy, that is why I need to setup openid.base_redirect_url accordingly.

Relevant part of securityconfig/config.yml

authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: intern
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: default-role
            openid_connect_url: https://auth.company.ch/auth/realms/company/.well-known/openid-configuration
        authentication_backend:
          type: noop

The kibana.yml

elasticsearch.hosts: https://localhost:9200
elasticsearch.password: kibanaserver
elasticsearch.requestHeadersWhitelist: ["securitytenant", "Authorization", "x-proxy-user", "cookie", "x-forwarded-for", "X-Api-key", "X-Forwarded-User", "X-Forwarded-For", "x-tenants-enabled"]
elasticsearch.requestTimeout: 600000
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
logging.dest: /var/log/kibana/kibana.log
opendistro_security.cookie.secure: false
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.enable_global: true
opendistro_security.multitenancy.tenants.enable_private: true
opendistro_security.multitenancy.tenants.preferred: ["flights_space", "logs_space", "ecom_space", "Private", "Global"]
opendistro_security.auth.type: openid
opendistro_security.openid.base_redirect_url: https://es-odfe.company.ch
opendistro_security.openid.client_id: <the-client-id>
opendistro_security.openid.client_secret: <the-client-secret>
opendistro_security.openid.connect_url: https://auth.company.ch/auth/realms/company/.well-known/openid-configuration
opendistro_security.readonly_mode.roles: ["kibana_read_only"]
pid.file: /var/run/kibana/kibana.pid
server.basePath: /kibana
server.port: 5602
telemetry.enabled: false
telemetry.optIn: false
newsfeed.enabled: false

Please let me know if you have any ideas or pointers, thanks a lot in advance.

-Sokratis

PS. I have replaced my company with ‘company’ keyword on the above.

2

Solved. I actually had to set /kibana at the end of the redirect url:

opendistro_security.openid.base_redirect_url: https://es-odfe.company.ch/kibana
3

Can I ask what you’re using for the IDP?

I can’t get Kibana to redirect to my identity provider (IdentityServer4).