Unable to configure keycloak as Idp Kibana

I am using the demo search guard scripts to initialize search guard.
Below are the relevant configuration snippets.

I always get failed to obtain openid endpoint from your Idp. I checked using curl the endpoint is accessible and I get all the keycloak metadata.

I am running kibana and elasticsearch as rpms on centos 7

  • Your Search Guard configuration files
    http:
    anonymous_auth_enabled: true
    xff:
    enabled: false
    internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
    authc:
    basic_internal_auth_domain:
    description: “Authenticate via HTTP Basic against internal users database”
    http_enabled: true
    transport_enabled: true
    order: 0
    http_authenticator:
    type: basic
    challenge: false
    authentication_backend:
    type: internal
    openid_auth_domain:
    http_enabled: true
    order: 1
    http_authenticator:
    type: openid
    challenge: false
    config:
    openid_connect_url: https://keycloak-host:31809/auth/realms/ABC/.well-known/openid-configuration
    subject_key: preferred_username
    roles_key: roles
    enable_ssl: false
    verify_hosts: false
    authentication_backend:
    type: noop

  • Your elasticsearch.yml configuration file

    WARNING: revise all the lines below before you go into production

    searchguard.ssl.transport.pemcert_filepath: esnode.pem
    searchguard.ssl.transport.pemkey_filepath: esnode-key.pem
    searchguard.ssl.transport.pemtrustedcas_filepath: root-ca.pem
    searchguard.ssl.transport.enforce_hostname_verification: false
    searchguard.ssl.http.enabled: true
    searchguard.ssl.http.pemcert_filepath: esnode.pem
    searchguard.ssl.http.pemkey_filepath: esnode-key.pem
    searchguard.ssl.http.pemtrustedcas_filepath: root-ca.pem
    searchguard.allow_unsafe_democertificates: true
    searchguard.allow_default_init_sgindex: true
    searchguard.authcz.admin_dn:
    - CN=kirk,OU=client,O=client,L=test, C=de

    searchguard.audit.type: internal_elasticsearch
    searchguard.enable_snapshot_restore_privilege: true
    searchguard.check_snapshot_restore_write_privileges: true
    searchguard.restapi.roles_enabled: [“SGS_ALL_ACCESS”]
    cluster.routing.allocation.disk.threshold_enabled: false
    cluster.name: searchguard_demo
    node.max_local_storage_nodes: 3
    xpack.security.enabled: false
    ######## End Search Guard Demo Configuration ########

    If you are using Kibana, please also add:

    • Your kibana.yml configuration file

    xpack.security.enabled: false

    searchguard.cookie.password : “--------------------------------------”
    searchguard.auth.type: “openid”
    searchguard.openid.connect_url: “https://keycloak-host:31809/auth/realms/ABC/.well-known/openid-configuration
    searchguard.openid.client_id: “kibana”
    searchguard.openid.client_secret: “xxxxxxx”
    searchguard.cookie.secure: true

Kibana Logs
Jun 27 17:19:41 host-fqdn kibana[28806]: {“type”:“log”,"@timestamp":“2019-06-27T17:19:41Z”,“tags”:[“error”,“searchguard”],“pid”:28806,“message”:“An error occurred while enabling session management: Error: Failed when trying to obtain the endpoints from your IdP”}
Jun 27 17:19:41 host-fqdn kibana[28806]: {“type”:“log”,"@timestamp":“2019-06-27T17:19:41Z”,“tags”:[“status”,“plugin:searchguard@7.1.1-35.2.0”,“error”],“pid”:28806,“state”:“red”,“message”:“Status changed from yellow to red - An error occurred during initialisation, please check the logs.”,“prevState”:“yellow”,“prevMsg”:“Initialising Search Guard authentication plugin.”}

You are using HTTPS to connect to Keycloak, what kind of certificate are you using? Is this a self-signed certificate?

If so, I guess you need to configure the root CA in both the Kibana plugin and in the Search Guard configuration.

For Kibana, use:

searchguard.openid.root_ca: /path/to/root-ca.pem
searchguard.openid.verify_hostnames: true|false

If you set the latter to true, then the Kibana plugin will check whether the hostname in the Keycloak certificate matches the Keycloak hostname. If you set it to false this check is omitted.

For the Search Guard Elasticsearch plugin, you can either use a root CA file, or add the root CA to the configuration directly. This is described here:

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.