Hey All,
I have burnt a full day fighting to get SAML or OpenID auth working for an Open Distro environment without much luck. I am going to focus on SAML here as that is my preference for this specific project.
I have been following the following guides:
- https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/saml/
-
Add Single Sign-On (SSO) to Open Distro for Elasticsearch Kibana using SAML and Okta | AWS Open Source Blog
though I am confused as to if the SAML configuration in the file “plugins/opendistro_security/securityconfig/config.yml” should be present on the Kibana instance or Elasticsearch Instance or both. As such I have been putting them in both and running the securityadmin.sh script to load the config which seems to work. When accessing kibana I am immediately redirected to https:///customerror?type=samlConfigError with no error logs generated
I am testing with the following environment:
cat docker-compose.yaml
version: '3'
services:
opendistro:
image: amazon/opendistro-for-elasticsearch:1.4.0
environment:
- discovery.type=single-node
- bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
- "ES_JAVA_OPTS=-Xms1024m -Xmx1024m"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
volumes:
- $PWD/elasticsearch:/usr/share/elasticsearch/data
- $PWD/config/od_security_config.yml:/usr/share/elasticsearch/plugins/opendistro_security/config.yml:ro
# - $PWD/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
ports:
- 9200:9200
- 9300:9300
- 9600:9600
kibana:
image: amazon/opendistro-for-elasticsearch-kibana:1.4.0
links:
- opendistro
environment:
ELASTICSEARCH_URL: https://opendistro:9200
ELASTICSEARCH_HOSTS: https://opendistro:9200
volumes:
- $PWD/config/kibana.yml:/usr/share/kibana/config/kibana.yml:ro
- $PWD/config/cert-selfsigned.key:/etc/ssl/certs/cert-selfsigned.key:ro
- $PWD/config/cert-selfsigned.crt:/etc/ssl/certs/cert-selfsigned.crt:ro
- $PWD/config/od_security_config.yml:/usr/share/kibana/plugins/opendistro_security/config.yml:ro
ports:
- 5601:5601
With the following config changes:
Changes to kibana.yaml
:
server.ssl.enabled: true
server.ssl.key: /etc/ssl/certs/cert-selfsigned.key
server.ssl.certificate: /etc/ssl/certs/cert-selfsigned.crt
opendistro_security.auth.type: "saml"
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]
Changes to the plugin conf template from https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/config.yml
:
saml_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_url: https://login.microsoftonline.com/...
entity_id: https://sts.windows.net/...
sp:
entity_id: kibana-saml
kibana_url: https://<myip>:5601/
roles_key: roles
exchange_key: '1234567890123467890123456789012'
Thanks in advance for any help,
Ryan