Kibana SSO using Okta OIDC in Kubernetes

Hello All,

Is anyone completed Kibana SSO using Okta with OIDC integration? I see the Open distro git repo opendistro-build/helm/opendistro-es at main · opendistro-for-elasticsearch/opendistro-build · GitHub for kubernetes using helm. But not much details on how to integrate with OIDC! Any help would be appreciated!
Thank you
Chandu

Hi @chandu7677 I posted a detailed breakdown of integration of LDAP with opendistro using helm here

All configuration is done via values.yaml file.
The configuration of OIDC is similar and would need to be done in config.yml section as below:

authc:
  basic_internal_auth_domain:
    description: "Authenticate via HTTP Basic against internal users database"
    http_enabled: true
    transport_enabled: true
    order: 0
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      type: intern
  openid:
    http_enabled: true
    transport_enabled: true
    order: 1
    http_authenticator:
      type: openid
      challenge: true
      config:
        openid_connect_url: "<enter here>"
        subject_key: "preferred_username"
        roles_key: "roles"
        enable_ssl: false
        verify_hostnames: false
    authentication_backend:
      type: "noop"

And also additional lines in kibana.yml file to use OIDC for authentication:

opendistro_security.auth.type: "openid"
opendistro_security.openid.connect_url: "<enter here>"
opendistro_security.openid.client_id: "<client_id>"
opendistro_security.openid.client_secret: "<client_secret>"
opendistro_security.openid.base_redirect_url: "<base_redirect_url>"

Values.yaml file also contains setting “nameOverride” at the very end, this can be used to map elasticsearch.hosts setting in kibana.yml to point to correct ES instance, as it is not known during deployment.

Let me know if you get stuck on any stage