Kibana - OPENID CONNECT using pingID

Hi All,

i’m trying to integrate pindID idp provider as openid connect SSO for opendistro?

does anyone have any idea about implementation and make it working?

How different would it be than using any other IDP, like Keycloak?

Thanks for your response @lmit. i was able to fix the issue with my configuration for Kibana.

now i am to proceed with my idp for Kibana. now i wanted to concentrate on elasticsearch to work in same way with pingID. do you have configuration settings for elasticsearch? i mean where can we setup client_id & client secret, etc…

Hi Manz, The documentation is pretty good about that part


and

But you can also check out this thread where Kibana configuration with that info is shared

this is helpful. and my question was about client-id and client secret values for elasticsearch (the way we configure it in kibana.yml for kibana). in the above documents i dont find them. so dont we need those values for elasticsearh?

Correct, you don’t need to specify client-id and client secret values in your Elasticsearch config. ONly in your Kibana configuration, which Elasticsearch will use to decode the JWTs Tokens from the specified “openid_connect_url” configuration

As the documentation sais right here;

OpenID Connect

The Security plugin can integrate with identify providers that use the OpenID Connect standard. This feature enables the following:

Automatic configuration

Point the Security plugin to the metadata of your identity provider (IdP), and the Security plugin uses that data for configuration.

Automatic key fetching

The Security plugin automatically retrieves the public key for validating the JSON web tokens (JWTs) from the JSON web key set (JWKS) endpoint of your IdP. You don’t have to configure keys or shared secrets in config.yml.

Key rollover

You can change the keys used for signing the JWTs directly in your IdP. If the Security plugin detects an unknown key, it tries to retrieve it from the IdP. This rollover is transparent to the user.

Kibana single sign-on

Here is my working config.yml file

---
_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    do_not_fail_on_forbidden: true
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
        internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
    authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: intern
      openid_auth_domain:
        description: "Authenticate via Keycloak Identity Provider"
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: "https://my.IDP.com:8443/auth/realms/myrealm/.well-known/openid-configuration"
            jwks_uri: "https://my.IDP.com:8443/auth/realms/myrealm/protocol/openid-connect/certs"
            enable_ssl_client_auth: true
            pemkey_filepath: "/etc/elasticsearch/ssl/my.domain.com.key"
            pemcert_filepath: "/etc/elasticsearch/ssl/my.domain.com.crt"
            pemtrustedcas_filepath: "/etc/elasticsearch/ssl/my.domain.com.ca.crt"
            enable_ssl: true
            verify_hostnames: true
        authentication_backend:
          type: noop
      kerberos_auth_domain:
        http_enabled: false
        transport_enabled: false
        order: 2
        http_authenticator:
          type: kerberos
          challenge: true
          config:
            krb_debug: false
            strip_realm_from_principal: true
        authentication_backend:
          type: noop
      proxy_auth_domain:
        description: "Authenticate via proxy"
        http_enabled: false
        transport_enabled: false
        order: 3
        http_authenticator:
          type: proxy
          challenge: false
          config:
            user_header: "x-proxy-user"
            roles_header: "x-proxy-roles"
        authentication_backend:
          type: noop
      jwt_auth_domain:
        description: "Authenticate via Json Web Token"
        http_enabled: false
        transport_enabled: false
        order: 4
        http_authenticator:
          type: jwt
          challenge: false
          config:
            signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
            jwt_header: "Authorization"
            jwt_url_parameter: null
            roles_key: null
            subject_key: null
        authentication_backend:
          type: noop
      clientcert_auth_domain:
        description: "Authenticate via SSL client certificates"
        http_enabled: false
        transport_enabled: false
        order: 5
        http_authenticator:
          type: clientcert
          config:
            username_attribute: cn #optional, if omitted DN becomes username
          challenge: false
        authentication_backend:
          type: noop
      ldap:
        description: "Authenticate via LDAP or Active Directory"
        http_enabled: false
        transport_enabled: false
        order: 6
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
            - localhost:8389
            bind_dn: null
            password: null
            userbase: 'ou=people,dc=example,dc=com'
            usersearch: '(sAMAccountName={0})'
            username_attribute: null
    authz:
      roles_from_myldap:
        description: "Authorize via LDAP or Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          type: ldap
          config:
            # enable ldaps
            enable_ssl: false
            # enable start tls, enable_ssl should be false
            enable_start_tls: false
            # send client certificate
            enable_ssl_client_auth: false
            # verify ldap hostname
            verify_hostnames: true
            hosts:
            - localhost:8389
            bind_dn: null
            password: null
            rolebase: 'ou=groups,dc=example,dc=com'
            rolesearch: '(member={0})'
            userroleattribute: null
            userrolename: disabled
            rolename: cn
            resolve_nested_roles: true
            userbase: 'ou=people,dc=example,dc=com'
            usersearch: '(uid={0})'
      roles_from_another_ldap:
        description: "Authorize via another Active Directory"
        http_enabled: false
        transport_enabled: false
        authorization_backend:
          type: ldap