Proxy authentication and authorization config

We have set up apache proxy login and kibana receives username and organisation in headers and want to map this to user roles. However we only get the opendistro security login screen ( which works for internal users). I was expecting this login not to pop up when authenticated by proxy. I can see in the kibana log that the field : oidc_claim_connect-userid_sec is present in the request and got the value that I specd in roles mapping.

The roles mapping :
“backend_roles”: [
“hosts”: ,
“users”: [
“description”: “Maps admin to all_access”

parts of securityconfig/config.yml :
description: “Authenticate via proxy”
http_enabled: true
transport_enabled: true
order: 3
type: proxy
challenge: false
user_header: “oidc_claim_connect-userid_sec”
# roles_header: “ssl_server_s_dn_o”
type: noop
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 4

In order to skip the Login screen and redirect to the Kibana page, you need to pass 2 headers
x-proxy-user and x-proxy-roles. Can you verify if these headers are being sent from your authentication gateway/proxy login to Kibana?
You can also check the Kibana logs or use Chrome Developer tools to verify the header information.


I verified that x-proxy-user is correct, but I don’t have anything sensible for the role, so x-proxy-role is empty. Is that a problem ?

As far as I have experienced, both headers are mandatory for the Proxy authentication to work correctly. You could try with a role that comes by default to see if it works. e.g “readall” or “admin”

Ok then I added x-forwarded-host as the role field. I made a role called as the forwarded-host and made it as kibana_user. I also made a role mapping for this role for a specific userid with backend role kibanauser.

Still no luck. I get to the basic_auth login window. proxy_auth_domain: order: 3 and basic_internal_auth_domain: order: 4.

Is there any tracing I could turn on the see what’s happening ?