I’m trying to integrate Keycloak with Search Guard using OpenID, but keep getting errors that the IdP configuration endpoint is not accessible.
I’m able to access the endpoint using this curl command:
curl -k https://keycloak/auth/realms/realm/.well-known/openid-configuration --cacert /path/to/cacert.pem --cert /path/to/cert.pem
I’m try to translate that to configuration options in the config files, but can’t seem to get it to work.
Below are relevant section of my config files:
sg_config.yml
searchguard:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
remoteIpHeader: 'x-forwarded-for'
proxiesHeader: 'x-forwarded-by'
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
openid_auth_domain:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: openid
challenge: false
config:
enable_ssl: true
verify_hostnames: false
enable_ssl_client_auth: true
pemtrustedcas_filepath: /path/to/cacert.pem
pemkey_filepath: /path/to/key.pem
pemcert_filepath: /path/to/cert.pem
openid_connect_url: https://keycloak/auth/realms/realm/.well-known/openid-configuration
subject_key: preferred_username
roles_key: roles
authentication_backend:
type: noop
kibana.yml
xpack.spaces.enabled: false
xpack.security.enabled: false
searchguard.auth.type: "openid"
searchguard.openid.connect_url: "https://keycloak/auth/realms/realm/.well-known/openid-configuration"
searchguard.openid.client_id: "kibana"
searchguard.openid.client_secret: "xxx"
searchguard.openid.base_redirect_url: "http://localhost:5601"
searchguard.openid.root_ca: "/path/to/cacert.pem"
searchguard.openid.verify_hostnames: false
Below are the logs. I can’t get any more detailed information by changing the logging level.
kibana_1 | {"type":"log","@timestamp":"2020-04-27T14:55:04Z","tags":["status","plugin:searchguard@6.8.6-19.0","info"],"pid":1,"state":"yellow","message":"Status changed from yellow to yellow - 'searchguard.cookie.secure' is set to false, cookies are transmitted over unsecure HTTP connection. Consider using HTTPS and set this key to 'true'","prevState":"yellow","prevMsg":"Default cookie password detected, please set a password in kibana.yml by setting 'searchguard.cookie.password' (min. 32 characters)."}
kibana_1 | {"type":"log","@timestamp":"2020-04-27T14:55:04Z","tags":["error","searchguard"],"pid":1,"message":"An error occurred while enabling session management: Error: Failed when trying to obtain the endpoints from your IdP"}
kibana_1 | {"type":"log","@timestamp":"2020-04-27T14:55:04Z","tags":["status","plugin:searchguard@6.8.6-19.0","error"],"pid":1,"state":"red","message":"Status changed from yellow to red - An error occurred during initialisation, please check the logs.","prevState":"yellow","prevMsg":"'searchguard.cookie.secure' is set to false, cookies are transmitted over unsecure HTTP connection. Consider using HTTPS and set this key to 'true'"}
I want to make sure my configuration is correct before digging into potentially deeper issues. Am I missing something?