OpenID Connect & Basic Authentication on Kibana

Hi ODFErs,

I’m trying to set up OpenID Connect and Basic authentication altogether on the same setup which will allow me to also login i.e. with internal users – but somehow (or I’m missing something) I’m not able to see the form which allows me to login i.e. with admin user to Kibana but instead, it redirects me to the SSO.

This is my config.yml file for OpenID:

---
_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
    authc:
      internal_auth:
        order: 0
        description: "HTTP basic authentication using the internal user database"
        enabled: true
        http_enabled: true
        transport_enabled: true
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        enabled: true
        http_enabled: true
        transport_enabled: true
        order: 1
        description: "Authenticate via Azure OpenID"
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: $connect_url
            enable_ssl: true
            verify_hostnames: false
        authentication_backend:
          type: noop

And for Kibana I just followed this guideline: https://opendistro.github.io/for-elasticsearch-docs/old/0.9.0/docs/security/openid-connect/#kibana-single-sign-on

Is there something quite fundamental I’m missing here :frowning:

Many thanks for your help in advance.

Update: I was just missing this part: https:/kibana_url/app/login redirects you to basic authentication. It is all about cookies :frowning: as described here: https://github.com/elastic/kibana/issues/25257#issuecomment-523059198

But it doesn’t pass. I get:

Request failed authentication.
Version: 7.9.1
Build: 33912
Error: Forbidden
    at Fetch._callee3$ (https://xxxx/33912/bundles/core/core.entry.js:34:109213)
    at l (https://xxxx/33912/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:368:155323)
    at Generator._invoke (https://xxxx/33912/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:368:155076)
    at Generator.forEach.e.<computed> [as next] (https://xxxx/33912/bundles/kbn-ui-shared-deps/kbn-ui-shared-deps.js:368:155680)
    at fetch_asyncGeneratorStep (https://xxxx/33912/bundles/core/core.entry.js:34:102354)
    at _next (https://xxxx/33912/bundles/core/core.entry.js:34:102670)

Anything which will enable authentication?

Best regards,

I’m not sure that you can have both the default Kibana login screen and the ID provider login screen.

ODFE security plugin is based on SearchGuard. In their documentation, it says that the default login page will not work with SSO.

1 Like

I see. Thanks a lot, @plele-ssc for your valuable input, it makes sense. I will look into it and see how I will be able to manage the roles/groups to the ones on ODFE so that I do not need to re-use the internal user i.e. admin for administrating the other settings on the cluster but instead define them on AD.

Best regards,