OpenID Connect & Basic Authentication on Kibana

GezimSejdiu · December 10, 2020, 12:57pm

Hi ODFErs,

I’m trying to set up OpenID Connect and Basic authentication altogether on the same setup which will allow me to also login i.e. with internal users – but somehow (or I’m missing something) I’m not able to see the form which allows me to login i.e. with admin user to Kibana but instead, it redirects me to the SSO.

This is my config.yml file for OpenID:

---
_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
    authc:
      internal_auth:
        order: 0
        description: "HTTP basic authentication using the internal user database"
        enabled: true
        http_enabled: true
        transport_enabled: true
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        enabled: true
        http_enabled: true
        transport_enabled: true
        order: 1
        description: "Authenticate via Azure OpenID"
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: $connect_url
            enable_ssl: true
            verify_hostnames: false
        authentication_backend:
          type: noop

And for Kibana I just followed this guideline: OpenID Connect - Open Distro for Elasticsearch Documentation

Is there something quite fundamental I’m missing here

Many thanks for your help in advance.

Update: I was just missing this part: https:/kibana_url/app/login redirects you to basic authentication. It is all about cookies as described here: Cannot open default log in page if SAML authentication is enabled · Issue #25257 · elastic/kibana · GitHub

But it doesn’t pass. I get:

Request failed authentication.
Version: 7.9.1
Build: 33912
Error: Forbidden
    at Fetch._callee3$ (https://xxxx/33912/bundles/core/core.entry.js:34:109213)
    at l (https://xxxx/33912/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:368:155323)
    at Generator._invoke (https://xxxx/33912/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:368:155076)
    at Generator.forEach.e.<computed> [as next] (https://xxxx/33912/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:368:155680)
    at fetch_asyncGeneratorStep (https://xxxx/33912/bundles/core/core.entry.js:34:102354)
    at _next (https://xxxx/33912/bundles/core/core.entry.js:34:102670)

Anything which will enable authentication?

Best regards,

plele-ssc · December 18, 2020, 12:29am

I’m not sure that you can have both the default Kibana login screen and the ID provider login screen.

ODFE security plugin is based on SearchGuard. In their documentation, it says that the default login page will not work with SSO.

GezimSejdiu · January 4, 2021, 1:06pm

I see. Thanks a lot, @plele-ssc for your valuable input, it makes sense. I will look into it and see how I will be able to manage the roles/groups to the ones on ODFE so that I do not need to re-use the internal user i.e. admin for administrating the other settings on the cluster but instead define them on AD.

Best regards,

Topic		Replies	Views
OpenID Connect Authentication Issue Security	11	5742	September 14, 2020
Azure AD login with OpenID loop Security	8	1199	June 7, 2021
Kibana OIDC Okta Integration redirecting straight to ${KIBANA_URL}/auth/openid/login with 401 Security	2	593	June 28, 2021
OpenID connect using azure: Getting too_many_redirects Security all-clients , releases , install	7	772	February 3, 2022
How to configure kibana so that local users and sso IdP defined users can login Security	1	588	October 4, 2021

OpenID Connect & Basic Authentication on Kibana

Related topics