Kibana with OpenID (Keycloak) cannot be redirected when HTTPS is used

I have successfully implemented OpenID using Keycloak on ODFE version 1:11:0. Everything is working prefectly fine when Keycloak is running on HTTP. But, when I change the config.yml and kibana.yml to change URL to HTTPS version, Keycloak fails to redirect to Kibana.

My kibana.yml file:
opendistro_security.auth.type: “openid”
opendistro_security.openid.connect_url: “
opendistro_security.openid.client_id: “noob”
opendistro_security.openid.client_secret: “xxxxxxxxxxxxxxxxxxxxxxxxxxxx”

My config.yml file:

type: “config”
config_version: 2

      anonymous_auth_enabled: false
        http_enabled: true
        transport_enabled: true
        order: 0
          type: basic
          challenge: false
          type: internal
        order: 1
        http_enabled: true
        transport_enabled: true
          type: openid
          challenge: false
            subject_key: preferred_username
            roles_key: roles
          type: noop

Keycloak Redirect URLs:*

Thank you!

Welcome @godhelpus! This looks like topic for the security category so I’ve moved it for you.

1 Like

Thank you! Waiting for responses.

Can you try the below setting:

    http_enabled: true
    transport_enabled: true
    order: 1
      type: "openid"
      challenge: false
        subject_key: "preferred_username"
        roles_key: "roles"
        openid_connect_url: "https://keycloak:8443/auth/realms/odfe/.well-known/openid-configuration"
        openid_connect_idp.pemtrustedcas_filepath: "/usr/share/elasticsearch/config/keycloak_s.crt"
        openid_connect_idp.enable_ssl: true
      type: "noop"

Hi @Anthony.
I did tweaked the config.yml as provided by you but still no success.
{"type":"log","@timestamp":"2021-05-18T03:49:40Z","tags":["error","plugins","opendistroSecurity"],"pid":1,"message":"OpenId authentication failed: Error: Authentication Exception"}
Also, I am using self-signed certs as described here and the certificates used by Keycloak is a non-admin certificate.
Thanks for your response, but no luck.

@godhelpus, can you add “verify_hostnames: false” in case its verification issue?

       enable_ssl: true
       verify_hostnames: false
       pemtrustedcas_filepath: /home/tls.pem

If not resolved, What certificate are you providing under “pemtrustedcas_filepath”?

Hello @godhelpus

I’ve noticed you’re using 1.11. Unfortunately, this version doesn’t handle self-signed certs very well. It will refuse to connect with keycloak if such is in use.

Version 1.10, 1.11 and 1.12 have the same self-signed cert problem. 1.13 got it resolved.

Also when you use IP address of the keycloak, please be sure that keycloack’s certificate has IP address in CN (Common Name) or SAN (Siubjet Alternative Name).

Could you share your kibana.yml file and OpenID config (settings tab) from keycloak?

@Anthony, setting hostname verification to false didn’t worked either.
I’ve been using the root-ca.pem for the pemtrustedcas_filepath: configuration.

@pablo, I’ll try this too and will let you know if it worked. I’ll share the configs as well.
The one I’ve been using now is: for admin certs and for rest of the certs, including Keycloaks’.


If you use “” then certificate configured in pemtrustedcas has to have that IP in CN or SAN.

Thank you very much! This is what I was doing wrong.
But now, I re-created my root-ca with CN=, for Admin certificate and for Kibana and Logstash. For Keycloak, I used CN= and restarted everything. It works now!
Thank you very much for your time and help.

1 Like

@Anthony, The issue has been solved now. Thanks for your kind help.