OpenID connect fails after upgrading ElasticSearch and Search Guard from 7.5+41 to 7.17+53.
Server OS version: Docker images built using the build.sh tool
Describe the issue:
After upgrading to the newest search guard version, I can no longer login via OpenID with Azure AD.
Elastic search and kibana seems to deploy fine, but I am greeted with an Authentication Error page.
Steps to reproduce:
Deployed via helm3 chart, with small modifications to work with our RBAC and Ingress/Loard balancer setup, and old data volume claims.
We upgraded from ElasticSearch version 7.15.2 and SearchGuard 41.1.0, where authentication worked, so we expect that we are seamlessly forwarded to the azure AD authentication site, but this never happens.
elasticsearch.yml (2.1 KB)
kibana.yml (2.2 KB)
sg_config.yml (970 Bytes)
kibana-logs.txt (38.9 KB)
Errors in browser console:
@hjalte_kiefer_vestas I’ve checked your config and I was able to login to Azure using versions 7.5 and 7.17.
Could you take a look at OpenID troubleshooting in SG docs?
Please be aware that trace level can expose sensitive data.
Thank you for checking. That was really helpful, since it ruled out any issues with the configuration.
Now the issue turned out to be due to SSL termination in our reverse proxy, we had this setup:
Browser ----HTTPS—> Reverse Proxy (SSL Terminated) -----HTTPS------> Kibana (with SSL)
When connecting like this, java scripts were not allowed to be executed in the browser, so I had to make the connection like this:
Browser ----HTTPS—> Reverse Proxy (SSL Terminated) -----HTTP------> Kibana
And now it works.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.