Configure searchguard to work with SSO

Hi,

I’ve installed Searchguard 5 with Kibana and Elasticsearch.

I’m able to authenticate with basic authentication (searchguard db).

Now I need to make it work with proxy authentication / SSO.

I installed apache with a war that redirect the request to our global logon page. Once the user is trying to reach Kibana with the following address: http://myInternalDNSName:8080/kibana, the request is redirected to our global logon page.

After I enter my SSO credentials, the requested is redirected back to Kibana but then I get a pop up prompt me to login with basic authentication. If I do so I was able to access Kibana.

It seems that the header returned to Kibana is the root cause.

Can someone help me to figure out how I need to configure it?

In addition, I ran the following curl test and the result shows an error:

curl -k -XGET ‘https://127.0.0.1:9200/_searchguard/authinfo?pretty=true’ -v -H “x-proxy-user: myUserName” -H “x-proxy-roles: sg_all_access” -H “x-forwarded-for: 127.0.0.1”

Result:

  • About to connect() to 127.0.0.1 port 9200 (#0)
  • Trying 127.0.0.1… connected
  • Connected to 127.0.0.1 (127.0.0.1) port 9200 (#0)
  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • warning: ignoring value of ssl.verifyhost
  • skipping SSL peer certificate verification
  • NSS: client certificate not found (nickname not specified)
  • SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • Server certificate:
  • start date: Aug 09 20:51:28 2017 GMT
  • expire date: Aug 09 20:51:28 2019 GMT
  • common name: localhost
  • issuer: CN=floragunn Gmbh Signing CA,OU=floragunn Gmbh Signing CA,O=floragunn Gmbh

GET /_searchguard/authinfo?pretty=true HTTP/1.1
User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
Host: 127.0.0.1:9200
Accept: /
x-proxy-user: ot865k
x-proxy-roles: sg_all_access
x-forwarded-for: 127.0.0.1

< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 317
<
{
“user” : “User [name=ot865k, roles=[sg_all_access]]”,
“user_name” : “ot865k”,
“user_requested_tenant” : null,
“remote_address” : “127.0.0.1”,
“sg_roles” : [
“sg_own_index”,
“sg_public”
],
“sg_tenants” : {
“ot865k” : true
},
“principal” : null,
“peer_certificates” : “0”
}

  • Connection #0 to host 127.0.0.1 left intact
  • Closing connection #0

Thanks,

Omer.

···
  • subject: CN=localhost

Hi,
I've installed Searchguard 5 with Kibana and Elasticsearch.
I'm able to authenticate with basic authentication (searchguard db).
Now I need to make it work with proxy authentication / SSO.
I installed apache with a war that redirect the request to our global logon page. Once the user is trying to reach Kibana with the following address: http://myInternalDNSName:8080/kibana, the request is redirected to our global logon page.
After I enter my SSO credentials, the requested is redirected back to Kibana but then I get a pop up prompt me to login with basic authentication. If I do so I was able to access Kibana.

Pls. post your sg_config.yml as well as your kibana.yml

It seems that the header returned to Kibana is the root cause.
Can someone help me to figure out how I need to configure it?
In addition, I ran the following curl test and the result shows an error:

"HTTP/1.1 200 OK" looks not like an error, so which error you mean?

···

Am 22.08.2017 um 15:43 schrieb Omer Twito <twitoomer@gmail.com>:

curl -k -XGET 'https://127.0.0.1:9200/_searchguard/authinfo?pretty=true' -v -H "x-proxy-user: myUserName" -H "x-proxy-roles: sg_all_access" -H "x-forwarded-for: 127.0.0.1"

Result:
* About to connect() to 127.0.0.1 port 9200 (#0)
* Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 9200 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=localhost
* start date: Aug 09 20:51:28 2017 GMT
* expire date: Aug 09 20:51:28 2019 GMT
* common name: localhost
* issuer: CN=floragunn Gmbh Signing CA,OU=floragunn Gmbh Signing CA,O=floragunn Gmbh
> GET /_searchguard/authinfo?pretty=true HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 127.0.0.1:9200
> Accept: */*
> x-proxy-user: ot865k
> x-proxy-roles: sg_all_access
> x-forwarded-for: 127.0.0.1
>
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 317
<
{
  "user" : "User [name=ot865k, roles=[sg_all_access]]",
  "user_name" : "ot865k",
  "user_requested_tenant" : null,
  "remote_address" : "127.0.0.1",
  "sg_roles" : [
    "sg_own_index",
    "sg_public"
  ],
  "sg_tenants" : {
    "ot865k" : true
  },
  "principal" : null,
  "peer_certificates" : "0"
}
* Connection #0 to host 127.0.0.1 left intact
* Closing connection #0

Thanks,
Omer.

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/16e82a55-0716-4f01-8c0b-152188c1f3da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.