OpenID connect with Azure AD fails with newest Search Guard (7.17.1+53.1.0)

OpenID connect fails after upgrading ElasticSearch and Search Guard from 7.5+41 to 7.17+53.

Elasticsearch version:
elkversion: “7.17.1”
sgversion: “53.1.0”
sgkibanaversion: “53.0.0”

Server OS version: Docker images built using the build.sh tool

Describe the issue:
After upgrading to the newest search guard version, I can no longer login via OpenID with Azure AD.
Elastic search and kibana seems to deploy fine, but I am greeted with an Authentication Error page.

Steps to reproduce:
Deployed via helm3 chart, with small modifications to work with our RBAC and Ingress/Loard balancer setup, and old data volume claims.

Expected behavior:
We upgraded from ElasticSearch version 7.15.2 and SearchGuard 41.1.0, where authentication worked, so we expect that we are seamlessly forwarded to the azure AD authentication site, but this never happens.

Provide configuration:
elasticsearch.yml (2.1 KB)
kibana.yml (2.2 KB)
sg_config.yml (970 Bytes)

Provide logs:
kibana-logs.txt (38.9 KB)

Screenshots:
Errors in browser console:

image1715×654 93.9 KB

Additional data:

@hjalte_kiefer_vestas I’ve checked your config and I was able to login to Azure using versions 7.5 and 7.17.
Could you take a look at OpenID troubleshooting in SG docs?

Please be aware that trace level can expose sensitive data.

Hello Pablo.
Thank you for checking. That was really helpful, since it ruled out any issues with the configuration.

Now the issue turned out to be due to SSL termination in our reverse proxy, we had this setup:

Browser ----HTTPS—> Reverse Proxy (SSL Terminated) -----HTTPS------> Kibana (with SSL)

When connecting like this, java scripts were not allowed to be executed in the browser, so I had to make the connection like this:

Browser ----HTTPS—> Reverse Proxy (SSL Terminated) -----HTTP------> Kibana

And now it works.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.