Kibana - OPENID CONNECT using pingID

Hi All,

i’m trying to integrate pindID idp provider as openid connect SSO for opendistro?

does anyone have any idea about implementation and make it working?

How different would it be than using any other IDP, like Keycloak?

Thanks for your response @lmit. i was able to fix the issue with my configuration for Kibana.

now i am to proceed with my idp for Kibana. now i wanted to concentrate on elasticsearch to work in same way with pingID. do you have configuration settings for elasticsearch? i mean where can we setup client_id & client secret, etc…

Hi Manz, The documentation is pretty good about that part


and

But you can also check out this thread where Kibana configuration with that info is shared

this is helpful. and my question was about client-id and client secret values for elasticsearch (the way we configure it in kibana.yml for kibana). in the above documents i dont find them. so dont we need those values for elasticsearh?

Correct, you don’t need to specify client-id and client secret values in your Elasticsearch config. ONly in your Kibana configuration, which Elasticsearch will use to decode the JWTs Tokens from the specified “openid_connect_url” configuration

As the documentation sais right here;

OpenID Connect

The Security plugin can integrate with identify providers that use the OpenID Connect standard. This feature enables the following:

Automatic configuration

Point the Security plugin to the metadata of your identity provider (IdP), and the Security plugin uses that data for configuration.

Automatic key fetching

The Security plugin automatically retrieves the public key for validating the JSON web tokens (JWTs) from the JSON web key set (JWKS) endpoint of your IdP. You don’t have to configure keys or shared secrets in config.yml.

Key rollover

You can change the keys used for signing the JWTs directly in your IdP. If the Security plugin detects an unknown key, it tries to retrieve it from the IdP. This rollover is transparent to the user.

Kibana single sign-on

Here is my working config.yml file

---
_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    do_not_fail_on_forbidden: true
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: intern
      openid_auth_domain:
        description: "Authenticate via Keycloak Identity Provider"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: "https://my.IDP.com:8443/auth/realms/myrealm/.well-known/openid-configuration"
            jwks_uri: "https://my.IDP.com:8443/auth/realms/myrealm/protocol/openid-connect/certs"
            enable_ssl_client_auth: true
            pemkey_filepath: "/etc/elasticsearch/ssl/my.domain.com.key"
            pemcert_filepath: "/etc/elasticsearch/ssl/my.domain.com.crt"
            pemtrustedcas_filepath: "/etc/elasticsearch/ssl/my.domain.com.ca.crt"
            enable_ssl: true
            verify_hostnames: true
        authentication_backend:
          type: noop
      kerberos_auth_domain:
        http_enabled: false
        transport_enabled: false
        order: 2
        http_authenticator:
          type: kerberos
          challenge: true
          config:
            krb_debug: false
            strip_realm_from_principal: true
        authentication_backend:
          type: noop
      proxy_auth_domain:
        description: "Authenticate via proxy"
        http_enabled: false
        transport_enabled: false
        order: 3
        http_authenticator:
          type: proxy
          challenge: false
          config:
            user_header: "x-proxy-user"
            roles_header: "x-proxy-roles"
        authentication_backend:
          type: noop
      jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: false
        transport_enabled: false
        order: 4
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
            jwt_header: "Authorization"
            jwt_url_parameter: null
            roles_key: null
            subject_key: null
        authentication_backend:
          type: noop
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates"
        http_enabled: false
        transport_enabled: false
        order: 5
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn #optional, if omitted DN becomes username
          challenge: false
        authentication_backend:
          type: noop
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: false
        transport_enabled: false
        order: 6
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
            - localhost:8389
            bind_dn: null
            password: null
            userbase: 'ou=people,dc=example,dc=com'
            usersearch: '(sAMAccountName={0})'
            username_attribute: null
    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
            - localhost:8389
            bind_dn: null
            password: null
            rolebase: 'ou=groups,dc=example,dc=com'
            rolesearch: '(member={0})'
            userroleattribute: null
            userrolename: disabled
            rolename: cn
            resolve_nested_roles: true
            userbase: 'ou=people,dc=example,dc=com'
            usersearch: '(uid={0})'
      roles_from_another_ldap:
        description: "Authorize via another Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          type: ldap

Thanks for the complete details Mitchell.

now i’m trying to integrate only Kibana working with my IDP as openID provider. And that is also working perfectly with below conifguration.

and where as in mycase i wanted to use only BASIC auth for elasticsearch side (with same below conifguration), then it is failing with 401 Unauthorized error. But when i setup basic auth challenge to TRUE then elasticsearch will work with basic auth, where as kibana with openID connection doesn’t work. How can i make this both working for me?

--
_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    do_not_fail_on_forbidden: true
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: intern
      openid_auth_domain:
        description: "Authenticate via openid Identity Provider"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            openid_connect_url: "https://XXXXXXXXXX/.well-known/openid-configuration"
        authentication_backend:
          type: noop

Hi Manz, I have read over your message and I admit that I just don’t understand what you are trying to do??

Fundamentally, Kibana and Elasticsearch are front-end and back-end of THE SAME SYSTEM, so they must both work together for basic auth, or basic auth + openID. You have to choose. You cannot have one for Kibana and another combination for Elasticsearch.

As the documentation states, its probably a better idea to have basic auth + openID, so your local accounts for back-end (non-openId) operations to work, like logstash and beats. Otherwise, I’m not sure how you will populate tor ELK stack with data, while using your openID for your users to authenticate and view your data from the front-end.

Any other use-case ans I can’t help you as that was not my intentional workflow when setting up my cluster.

Regards

i think you are right. in mycase i use openID auth for Kibana(front-end) and for Elasticsearch i use Basic auth (back-end).

right now what’s happening with my above configuration is- if i set basic auth order to “0” then only i will get challenged with basic auth login form and authentication will be success. then Kibana also challenge me with login page but authentication will fail with "No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’"

in the same way if i set openID order to “0” then kibana authentication will success, but ES will not challenge me with login page (i get the same above 401 error). whereas i can send the cURL/postman (any restclient) requests to elasticsearch and will get the pro[er response.

what i mean to say is that "the auth domain which is having the order as “0” that will get succeds and the other will fail. may be this is the right behavior with OSS current security code and may be my above scenario is wrong.

i’m just looking for to get challenge with basic auth login page in mycase… any suggestions/help on this would be much appreciated!

Hi @lmit, Thier documentation clear says that “client can’t challenge 2 different authentication methods”. i mean in my case openid + basic.

# Note: If you define more than one HTTP authenticators make sure to put non-challenging authenticators like "proxy" or "clientcert"
# first and the challenging one last.
# Because it's not possible to challenge a client with two different authentication methods (for example
# Kerberos and Basic) only one can have the challenge flag set to true. You can cope with this situation
# by using pre-authentication, e.g. sending a HTTP Basic authentication header in the request.

Hi manz, once I enabled openID at order “1” and basic at order “0”.

I was NEVER able to get to the basic login page for ANY front-end authentication…I tried different URLs to get the login page, but I suspect that local login page is now disabled.
ALL front-end authentication will be openID. So I made sure I have a role configured to give me Admin access using front-end login.

For back-end services, then I could use the local accounts setup in Elasticsearch, but those will only work through API calls.

I don’t think there are any fine-grained front-end authentication methods available for open-distro

Thanks @lmit for more details.

Hi Mitchell,

For some reason i have to use initial version of ES & Kibana 6.5.4 Versions and security plugin version is 0.7.0.1. and i’m trying to integrate openID connect, but from the Kibana side i’m getting error like below. (Authentication failed…Please provide a new token.)
image

below is my Kibana configuration:

opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: "https://XXXXXXX/.well-known/openid-configuration"
opendistro_security.openid.client_id: "XXXXXXXXX"
opendistro_security.openid.client_secret: "XXXXXXXXX"
opendistro_security.openid.scope: "openid"
opendistro_security.openid.base_redirect_url: "http://XXXXXXX:5601"
logging.verbose: true

my config is having:

        basic_internal_auth_domain: 
            http_enabled: true
            transport_enabled: true
            order: 0
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              type: intern
          openid_auth_domain:
            description: "my openid provider"
            http_enabled: true
            transport_enabled: true
            order: 1
            http_authenticator:
              type: openid
              challenge: false
              config:
                subject_key: preferred_username
                roles_key: roles
                openid_connect_url: "https://XXXXXXXXX/.well-known/openid-configuration"
            authentication_backend:
              type: noop

and from elasticsearch side i get this error, i’m not sure what i’m doing wrong here.

[2020-02-27T16:41:00,755][WARN ][o.a.c.r.s.j.j.JwsUtils   ] [somenode] No signature algorithm was defined
[2020-02-27T16:41:00,755][WARN ][o.a.c.r.s.j.j.JwsUtils   ] [somenode] 
 'org.apache.cxf.rs.security.jose.jws.JwsException: ALGORITHM_NOT_SET' extracting credentials from jwt-key-by-oidc http authenticator
org.apache.cxf.rs.security.jose.jws.JwsException: ALGORITHM_NOT_SET

any help on this would be much appreciated. thanks!

1 Like

i was able to resolve this issue with help of as described in https://github.com/opendistro-for-elasticsearch/security-advanced-modules/pull/11

Thanks!

Hi, Manz,

can I ask you how you solved this problem? I set keycloak and I’m trying to make everything work locally but it can’t authenticate itself by giving the same error you seem to have solved.

My configuration files are here

Problem Basic Authorization

Hello,
I also get the error message “Authetication failed Please provide e new token.”
Can you explain, how / what you configured in Keycloak?
In our test environment I don’t use SSL, only HTTP connections.
May be this is a problem (certificates are necessary for somewhat)?
Is it necessary to edit the internal_users.yml or can I create users with Kibana (openid disabled to do this)?
What about scopes?
Sorry a lot of questions.
best regards