SAML configuration for Open Distro with AzureAD

Hey All,

I have burnt a full day fighting to get SAML or OpenID auth working for an Open Distro environment without much luck. I am going to focus on SAML here as that is my preference for this specific project.

I have been following the following guides:

I am testing with the following environment:
cat docker-compose.yaml

version: '3'
services:
  opendistro:
    image: amazon/opendistro-for-elasticsearch:1.4.0
    environment:
      - discovery.type=single-node
      - bootstrap.memory_lock=true # along with the memlock settings below, disables swapping
      - "ES_JAVA_OPTS=-Xms1024m -Xmx1024m" 
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    volumes:
      - $PWD/elasticsearch:/usr/share/elasticsearch/data
      - $PWD/config/od_security_config.yml:/usr/share/elasticsearch/plugins/opendistro_security/config.yml:ro
#      - $PWD/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml:ro
    ports:
      - 9200:9200
      - 9300:9300
      - 9600:9600

  kibana:
    image: amazon/opendistro-for-elasticsearch-kibana:1.4.0
    links:
      - opendistro
    environment:
      ELASTICSEARCH_URL: https://opendistro:9200
      ELASTICSEARCH_HOSTS: https://opendistro:9200
    volumes:
      - $PWD/config/kibana.yml:/usr/share/kibana/config/kibana.yml:ro
      - $PWD/config/cert-selfsigned.key:/etc/ssl/certs/cert-selfsigned.key:ro
      - $PWD/config/cert-selfsigned.crt:/etc/ssl/certs/cert-selfsigned.crt:ro
      - $PWD/config/od_security_config.yml:/usr/share/kibana/plugins/opendistro_security/config.yml:ro
    ports:
      - 5601:5601

With the following config changes:
Changes to kibana.yaml:

server.ssl.enabled: true
server.ssl.key: /etc/ssl/certs/cert-selfsigned.key
server.ssl.certificate: /etc/ssl/certs/cert-selfsigned.crt
opendistro_security.auth.type: "saml"
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]

Changes to the plugin conf template from https://github.com/opendistro-for-elasticsearch/security/blob/master/securityconfig/config.yml:

      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: https://login.microsoftonline.com/...                                                                                                                              
              entity_id: https://sts.windows.net/...                                  
            sp:
              entity_id: kibana-saml
            kibana_url: https://<myip>:5601/
            roles_key: roles
            exchange_key: '1234567890123467890123456789012'

Thanks in advance for any help,

Ryan

1 Like

Hello @redyvane

Were you able to fix your issue?
If you got described error directly after accessing Kibana URL and not getting to AzureAD login screen, then you might have a configuration issue in config.yml config.
Have you checked if you can access the metadata_url and entity_id from ES node?

SAML configuration has to be configured in config.yml and kibana.yml as you did.

Hello Ryan @redyvane
Have you solved this issue?
Thanks in advance.