Hi @srgbnd
About the application - application web-client has a button and when it is clicked, browser opens Kibana in a new tab in the browser.this is how they are integrated. Normally Kibana does not ask for a second authentication, since the user is authenticated already with keycloak during login to application web-client.
Searchguard configmap as below:
sg_config.yml: |-
---
_sg_meta:
type: "config"
config_version: 2
sg_config:
dynamic:
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: '.+'
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: "basic"
challenge: false # Set this to false when keycloak authentication is enabled
authentication_backend:
type: "intern"
keycloak_auth_domain:
http_enabled: true # Set to true to enable keycloak authentication
transport_enabled: true
order: 1
http_authenticator:
type: keycloak
challenge: false
config:
username_key: preferred_username
roles_key: roles
keycloak_connect_url: https://IP:port/auth/realms/master/.well-known/openid-configuration
client_id: clientid
client_secret: XXXX
authentication_backend:
type: noop
proxy_auth_domain:
http_enabled: false
transport_enabled: false
order: 3
http_authenticator:
type: "proxy"
challenge: false
config:
user_header: "x-proxy-user"
#roles_header: "x-proxy-roles"
authentication_backend:
type: "noop"
clientcert_auth_domain:
http_enabled: false
transport_enabled: false
order: 2
http_authenticator:
challenge: false
type: "clientcert"
config:
username_attribute: "cn"
authentication_backend:
type: "noop"
Kibana configmap as below:
kibana.yml: |-
---
# Donot change sever name and host. This is default configuration.
server.name: kibana
server.customResponseHeaders: { "X-Frame-Options": "DENY" }
csp.strict: true
#Enable server.ssl.supportedProtocols when SG is enabled.
#server.ssl.supportedProtocols: ["TLSv1.2"]
#searchguard cookie can be secured by setting the below parameter to true. Uncomment it when SG is enabled.
#searchguard.cookie.secure: true
# Whitelist basic headers and multi tenancy header
##elasticsearch.requestHeadersWhitelist: [ "Authorization", "sgtenant", "x-forwarded-for", "x-proxy-user", "x-proxy-roles" ]
# uncomment below section for keycloak authentication and provide required correct parameters
searchguard.auth.type: "openid"
searchguard.openid.connect_url: "https://IP:port/auth/realms/master/.well-known/openid-configuration"
searchguard.openid.client_id: "clientid"
searchguard.openid.client_secret: "XXXX"
searchguard.openid.header: "Authorization"
### for kibana service on ingress port is not required
searchguard.openid.base_redirect_url: "https://IP:port"
### Do not change root_ca file path as this is the default mount path.
searchguard.openid.root_ca: "/path/keycloak-root-ca.pem"
searchguard.openid.verify_hostnames: false
Also can you provide little more details about this approach - A possible workaround might be introducing a new SG API endpoint to allow deleting cookies or credentials inside the cookie if the request is authenticated.
Please let me know in case you require more details from my end.
Thanks