Hi,
I’ve installed Searchguard 5 with Kibana and Elasticsearch.
I’m able to authenticate with basic authentication (searchguard db).
Now I need to make it work with proxy authentication / SSO.
I installed apache with a war that redirect the request to our global logon page. Once the user is trying to reach Kibana with the following address: http://myInternalDNSName:8080/kibana, the request is redirected to our global logon page.
After I enter my SSO credentials, the requested is redirected back to Kibana but then I get a pop up prompt me to login with basic authentication. If I do so I was able to access Kibana.
It seems that the header returned to Kibana is the root cause.
Can someone help me to figure out how I need to configure it?
In addition, I ran the following curl test and the result shows an error:
curl -k -XGET ‘https://127.0.0.1:9200/_searchguard/authinfo?pretty=true’ -v -H “x-proxy-user: myUserName” -H “x-proxy-roles: sg_all_access” -H “x-forwarded-for: 127.0.0.1”
Result:
- About to connect() to 127.0.0.1 port 9200 (#0)
- Trying 127.0.0.1… connected
- Connected to 127.0.0.1 (127.0.0.1) port 9200 (#0)
- Initializing NSS with certpath: sql:/etc/pki/nssdb
- warning: ignoring value of ssl.verifyhost
- skipping SSL peer certificate verification
- NSS: client certificate not found (nickname not specified)
- SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- Server certificate:
- start date: Aug 09 20:51:28 2017 GMT
- expire date: Aug 09 20:51:28 2019 GMT
- common name: localhost
- issuer: CN=floragunn Gmbh Signing CA,OU=floragunn Gmbh Signing CA,O=floragunn Gmbh
GET /_searchguard/authinfo?pretty=true HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: 127.0.0.1:9200
Accept: /
x-proxy-user: ot865k
x-proxy-roles: sg_all_access
x-forwarded-for: 127.0.0.1
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 317
<
{
“user” : “User [name=ot865k, roles=[sg_all_access]]”,
“user_name” : “ot865k”,
“user_requested_tenant” : null,
“remote_address” : “127.0.0.1”,
“sg_roles” : [
“sg_own_index”,
“sg_public”
],
“sg_tenants” : {
“ot865k” : true
},
“principal” : null,
“peer_certificates” : “0”
}
- Connection #0 to host 127.0.0.1 left intact
- Closing connection #0
Thanks,
Omer.
···
- subject: CN=localhost