Issue in integration of searchguard kibana plugin with ssl-enabled keycloak

Hi,

I have trouble in achieving Kibana Single Sign On with keycloak IdP.

I have followed the documentation from: https://search-guard.com/kibana-openid-keycloak/

My keycloak is ssl-enabled and is accessed via https.

  • Search Guard: 6.4.1

Elasticsearch version: 6.4.1

  • Installed and used enterprise modules: openid-based authentication

  • JVM version: openjdk 1.8-191

operating system version: RHEL 7.5

  • Search Guard configuration files : Attached kibana.yml & sg_config.yml

  • Elasticsearch log messages on debug level: No related logs

These are my configuration files.

kibana.yml : (attached full file)

SSL for outgoing requests from the Kibana Server to the browser (PEM formatted)

server.ssl.cert: /etc/kibana/admin.crt.pem
server.ssl.key: /etc/kibana/admin.key.pem
server.ssl.supportedProtocols: [“TLSv1.2”]
searchguard.cookie.secure: true

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “https://x.x.x.x:8666/auth/realms/elk/.well-known/openid-configuration
searchguard.openid.client_id: “elk-kibana-sso”
searchguard.openid.client_secret: “a70c7db0-939e-444b-bc91-b652d10bc60c”
searchguard.openid.header: “Authorization”

The Elasticsearch instance to use for all your queries.

elasticsearch.url: “https://x.x.x.x:9200

``

sg_config.yml (attached full file )
authc:
openid_auth_domain:
http_enabled: true
enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: https://x.x.x.x:8666/auth/realms/belk/.well-known/openid-configuration
verify_hostnames: false
authentication_backend:
type: noop
basic_internal_auth_domain:
http_enabled: true
enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal

``

Keycloak client settings look like this:

kibana-sso-client.PNG

Note: Kibana and keycloak server are running on the same machine.

Keycloak is accessible via https://x.x.x.x:8666/auth

With the above configurations, when I enter kibana url in the browser i.e. https://x.x.x.x:5601 :

  • it redirects to keycloak’s UI i.e.

https://x.x.x.x:8666/auth/realms/elk/protocol/openid-connect/auth?client_id=elk-kibana-sso&response_type=code&redirect_uri=https%3A%2F%2Fx.x.x.x%3A5601%2Fauth%2Fopenid%2Flogin&state=6dlsAjt7Xd4Kw6OwkgLc7i&scope=openid%20profile%20email%20address%20phone

``

with this following error messsage on the screen.


<a class='attachment' href='//discourse-cloud-file-uploads.s3.dualstack.us-west-2.amazonaws.com/business5/uploads/search_guard/original/1X/961d4ef605ac280b5d632ca7cc0d7a7a6db59e38.yml'>kibana.yml</a> (3.64 KB)



<a class='attachment' href='//discourse-cloud-file-uploads.s3.dualstack.us-west-2.amazonaws.com/business5/uploads/search_guard/original/1X/1e6ae5e388b52de92f789e8e0e52a829819ee3c7.yml'>sg_config.yml</a> (8.25 KB)



<details class='elided'>
<summary title='Show trimmed content'>&#183;&#183;&#183;</summary>

**
{"statusCode":502,"error":"Bad Gateway","message":"self signed certificate"}**

I could not find any log messages related to this in kibana or elasticsearch.

With the same setup, when I use ssl-disabled keycloak (i.e keycloak on http), I am able to successfully login to kibana.

Can you tell me if I have missed any configurations on keycloak or kibana's side to achieve this functionality?

Thanks,

Shivani

</details>

We need to look into this, I will keep you updated!

···

On Friday, November 30, 2018 at 7:23:01 PM UTC+1, shivani.aggarwal2195@gmail.com wrote:

Hi,

I have trouble in achieving Kibana Single Sign On with keycloak IdP.

I have followed the documentation from: https://search-guard.com/kibana-openid-keycloak/

My keycloak is ssl-enabled and is accessed via https.

  • Search Guard: 6.4.1

Elasticsearch version: 6.4.1

  • Installed and used enterprise modules: openid-based authentication
  • JVM version: openjdk 1.8-191

operating system version: RHEL 7.5

  • Search Guard configuration files : Attached kibana.yml & sg_config.yml
  • Elasticsearch log messages on debug level: No related logs

These are my configuration files.

kibana.yml : (attached full file)

SSL for outgoing requests from the Kibana Server to the browser (PEM formatted)

server.ssl.cert: /etc/kibana/admin.crt.pem
server.ssl.key: /etc/kibana/admin.key.pem
server.ssl.supportedProtocols: [“TLSv1.2”]
searchguard.cookie.secure: true

searchguard.auth.type: “openid”
searchguard.openid.connect_url: “https://x.x.x.x:8666/auth/realms/elk/.well-known/openid-configuration
searchguard.openid.client_id: “elk-kibana-sso”
searchguard.openid.client_secret: “a70c7db0-939e-444b-bc91-b652d10bc60c”
searchguard.openid.header: “Authorization”

The Elasticsearch instance to use for all your queries.

elasticsearch.url: “https://x.x.x.x:9200

``

sg_config.yml (attached full file )
authc:
openid_auth_domain:
http_enabled: true
enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
subject_key: preferred_username
roles_key: roles
openid_connect_url: https://x.x.x.x:8666/auth/realms/belk/.well-known/openid-configuration
verify_hostnames: false
authentication_backend:
type: noop
basic_internal_auth_domain:
http_enabled: true
enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal

``

Keycloak client settings look like this:

Note: Kibana and keycloak server are running on the same machine.

Keycloak is accessible via https://x.x.x.x:8666/auth

With the above configurations, when I enter kibana url in the browser i.e. https://x.x.x.x:5601 :

  • it redirects to keycloak’s UI i.e.

https://x.x.x.x:8666/auth/realms/elk/protocol/openid-connect/auth?client_id=elk-kibana-sso&response_type=code&redirect_uri=https%3A%2F%2Fx.x.x.x%3A5601%2Fauth%2Fopenid%2Flogin&state=6dlsAjt7Xd4Kw6OwkgLc7i&scope=openid%20profile%20email%20address%20phone

``

  • on the keycloak UI, I enter the user’s credentials and submit

with this following error messsage on the screen.

**
{"statusCode":502,"error":"Bad Gateway","message":"self signed certificate"}**

I could not find any log messages related to this in kibana or elasticsearch.

With the same setup, when I use ssl-disabled keycloak (i.e keycloak on http), I am able to successfully login to kibana.

Can you tell me if I have missed any configurations on keycloak or kibana’s side to achieve this functionality?

Thanks,

Shivani