zdenek
November 26, 2021, 3:01pm
1
Hi, we try to configure SSO for kibana, we use Microsoft ADFS and openid. We also use an apache reverse proxy for our kibana and we have the kibana server.basePath parameter set.
When we configure openid for kibana sso login process stops at URL https://ourdomain/ourbasepath/auth/openid/encode?nextUrl=%2Fourbasepath%2F
source code of encode is
<html>
<head>
<script src="/auth/openid/encode-js"></script>
</head>
<body></body>
</html>
As you can see the basepath is missing in src of encode-js script, script isn’t loaded and the login process stops here.
We found the source javascript of this URL in routes.js and it seems like the base path is not used in
httpResources.register({
path: `${_constants.APP_ROOT}${routesPath}encode-js`,
When we use LDAP or SAML everything works well. But we need to configure openid.
Can you please check the whole login process for openid when a reverse proxy is used?
And make a fixed version or let us know how to fix this behavior?
Elasticsearch version:
7.15.
Server OS version:
RHEL 7
Kibana version (if relevant):
7.15.1 and 7.10.2 we try both
Describe the issue:
Login process stops at URL: https://ourdomain/ourbasepath/auth/openid/encode?nextUrl=%2Fourbasepath%2F
Steps to reproduce:
configure apache reverse proxy server for kibana
configure kibana with server.basePath parameter
configure openid sso in kibana
try to login
Expected behavior:
The login process will work.
pablo
November 29, 2021, 9:15am
2
Hello @zdenek
Would you mind sharing your kibana.yml and sg_config.yml files?
system
Closed
December 20, 2021, 9:15am
3
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
pablo
December 31, 2021, 3:23pm
4
@zdenek Thanks for providing the files.
I’ve found that in my case I had to set the below in kibana.yml to get it working with keycloak OpenID.
server.basePath: "/basePath"
searchguard.openid.base_redirect_url: "https://<haproxy_FQDN>"
In keycloak my redirect is set to “https://<haproxy_FQDN>/basePath”
In haproxy.cfg I have the below.
backend kibana1
option httpchk GET /api/status HTTP/1.1\r\nHost:localhost
reqrep ^([^\ :]*)\ /kibana1(\/*)(.*) \1\ /\3
rsprep ^[Cc]ache-[Cc]ontrol:\ no-cache Cache-Control:\ max-age=84600 if { capture.req.uri -m beg /kibana1/ui/ /kibana1/plugins/ /kibana1/bundles/ }
server kibana1 <FQDN_of_destination_kibana>:5601 check ssl verify none
In your case basePath
is present in both server.basePath
and searchguard.openid.base_redirect_url:
zdenek
January 24, 2022, 9:24am
6
@pablo
Hi,
we try to configure searchguard.openid.base_redirect_url: "https://kibana.csint.cz/notix"
and also `searchguard.openid.base_redirect_url: “https://kibana.csint.cz ” but behavior is still same.
Authentication process stops at URL https://kibana.csint.cz/notix/auth/openid/encode?nextUrl=%2Fnotix%2F because try to load the script at URL “https://kibana.csint.cz/auth/openid/encode-js” and the script doesn’t exist.
I make a screenshot from my browser.
Can you tell us what we can try?
nils
February 23, 2022, 7:09am
7
We have just released a new version of Search Guard which fixes the issue:
Now available: Search Guard 53.
Search Guard 53 brings support for ES 7.17.0, additional functionality for JWT authentication, and bug fixes for OIDC login and Signals.
JWT: The JWT authenticator now allows you to specify expected values for audience and/or issuer claims. If one of these values is specified, a JWT will be only accepted if the value matches.
OIDC Login: The new OIDC redirect handling implemented in Search Guard 51.0 caused issues with many Identity Providers, as it required th…