Hi,

I have trouble in achieving Kibana Single Sign On with keycloak IdP.

I have followed the documentation from: Kibana Single Sign-On with OpenID and Keycloak | Search Guard

My keycloak is ssl-enabled and is accessed via https.

• Search Guard: 6.4.1

Elasticsearch version: 6.4.1

• Installed and used enterprise modules: openid-based authentication

• JVM version: openjdk 1.8-191

operating system version: RHEL 7.5

• Search Guard configuration files : Attached kibana.yml & sg_config.yml

• Elasticsearch log messages on debug level: No related logs

These are my configuration files.

kibana.yml : (attached full file)

SSL for outgoing requests from the Kibana Server to the browser (PEM formatted)

server.ssl.cert: /etc/kibana/admin.crt.pem
server.ssl.key: /etc/kibana/admin.key.pem
server.ssl.supportedProtocols: [“TLSv1.2”]
searchguard.cookie.secure: true

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “https://x.x.x.x:8666/auth/realms/elk/.well-known/openid-configuration”
searchguard.openid.client_id: “elk-kibana-sso”
searchguard.openid.client_secret: “a70c7db0-939e-444b-bc91-b652d10bc60c”
searchguard.openid.header: “Authorization”

The Elasticsearch instance to use for all your queries.

elasticsearch.url: “https://x.x.x.x:9200”

``

sg_config.yml (attached full file )
authc:
openid_auth_domain:
http_enabled: true
enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: https://x.x.x.x:8666/auth/realms/belk/.well-known/openid-configuration
verify_hostnames: false
authentication_backend:
type: noop
basic_internal_auth_domain:
http_enabled: true
enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal

``

Keycloak client settings look like this:

kibana-sso-client.PNG1717×862 67.2 KB

Note: Kibana and keycloak server are running on the same machine.

Keycloak is accessible via https://x.x.x.x:8666/auth

With the above configurations, when I enter kibana url in the browser i.e. https://x.x.x.x:5601 :

• it redirects to keycloak’s UI i.e.

https://x.x.x.x:8666/auth/realms/elk/protocol/openid-connect/auth?client_id=elk-kibana-sso&response_type=code&redirect_uri=https%3A%2F%2Fx.x.x.x%3A5601%2Fauth%2Fopenid%2Flogin&state=6dlsAjt7Xd4Kw6OwkgLc7i&scope=openid%20profile%20email%20address%20phone

``

• on the keycloak UI, I enter the user’s credentials and submit

• it redirects to https://x.x.x.x:5601/auth/openid/login?state=jbLzzzkoOCp..&session_state=32af94e9-9…

with this following error messsage on the screen.

<a class='attachment' href='//cdck-file-uploads-global.s3.dualstack.us-west-2.amazonaws.com/business5/uploads/search_guard/original/1X/961d4ef605ac280b5d632ca7cc0d7a7a6db59e38.yml'>kibana.yml</a> (3.64 KB)



<a class='attachment' href='//cdck-file-uploads-global.s3.dualstack.us-west-2.amazonaws.com/business5/uploads/search_guard/original/1X/1e6ae5e388b52de92f789e8e0e52a829819ee3c7.yml'>sg_config.yml</a> (8.25 KB)



<details class='elided'>
<summary title='Show trimmed content'>&#183;&#183;&#183;</summary>

**
{"statusCode":502,"error":"Bad Gateway","message":"self signed certificate"}**

I could not find any log messages related to this in kibana or elasticsearch.

With the same setup, when I use ssl-disabled keycloak (i.e keycloak on http), I am able to successfully login to kibana.

Can you tell me if I have missed any configurations on keycloak or kibana's side to achieve this functionality?

Thanks,

Shivani

</details>

We need to look into this, I will keep you updated!