{"id":9546,"date":"2022-09-12T13:00:00","date_gmt":"2022-09-12T18:00:00","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=9546"},"modified":"2022-10-18T15:25:47","modified_gmt":"2022-10-18T20:25:47","slug":"openid-authentication-with-opendistro","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=9546","title":{"rendered":"OpenID Authentication with OpenDistro"},"content":{"rendered":"\n

The following configuration changes needed to be made to enable federated authentication through OpenIDC using OpenDistro 1.8.0 withElasticSearch 7.7.0 — this presupposes that you have an application properly registered with an OIDC identity provider. <\/p>\n\n\n\n

.\/kibana\/config\/kibana.yml<\/p>\n\n\n

\nopendistro_security.auth.type: "openid"\nopendistro_security.openid.connect_url: "https:\/\/login.example.com\/.well-known\/openid-configuration"\nopendistro_security.openid.client_id: "REDACTED"\nopendistro_security.openid.client_secret: "REDACTED"\nopendistro_security.openid.scope: "openid"\nopendistro_security.openid.header: "Authorization"\nopendistro_security.openid.base_redirect_url: "https:\/\/opensearch.dev.example.com"\n\n<\/pre><\/div>\n\n\n
And then on the ElasticSearch node, update .\/elasticsearch\/config\/elasticsearch.yml<\/p>\n\n\n
\nopendistro_security.ssl.transport.truststore_filepath: cacerts\n<\/pre><\/div>\n\n\n
And .\/elasticsearch\/plugins\/opendistro_security\/securityconfig\/config.yml<\/p>\n\n\n
\n      basic_internal_auth_domain:\n        description: "Authenticate via HTTP Basic against internal users database"\n        http_enabled: true\n        transport_enabled: true\n        order: 4\n        http_authenticator:\n          type: basic\n          challenge: true\n        authentication_backend:\n          type: intern\n      openid_auth_domain:\n        http_enabled: true\n        transport_enabled: true\n        order: 1\n        http_authenticator:\n          type: openid\n          challenge: false\n          config:\n            enable_ssl: true\n            verify_hostnames: false\n            openid_connect_url: https:\/\/login.example.com\/.well-known\/openid-configuration\n        authentication_backend:\n          type: noop\n<\/pre><\/div>\n\n\n
Use securityadmin.sh to update — it helps if you update .\/elasticsearch\/plugins\/opendistro_security\/securityconfig\/roles_mapping.yml<\/p>\n\n\n
\nall_access:\n  reserved: false\n  backend_roles:\n  - "admin"\n  users:\n  - "lisa"\n  description: "Maps admin to all_access"\n\n<\/pre><\/div>\n\n\n
My experience is that the  ElasticSearch<\/em> API<\/em> will allow authentication for local users. Kibana, however, does not — if you want to allow local users to log into Kibana, you’d either need a different Kibana instance (permanently allow local users to access Kibana) or update the kibana.yml to exclude the federated logon stuff & restart the service (temporary workaround when the identity provider has an issue).<\/p>\n\n\n\n
The biggest challenge that I encountered is that there is, evidently, a bug in OpenDistro 1.13.1 that makes OIDC authentication non-functional<\/a>. Downgrading to OpenDistro 1.13.0 worked, 1.8.0 (the version matched with our ElasticSearch <\/a>7.7.0 iteration) worked. And, reportedly, the newest 1.13.3 works as well. <\/p>\n","protected":false},"excerpt":{"rendered":"
The following configuration changes needed to be made to enable federated authentication through OpenIDC using OpenDistro 1.8.0 withElasticSearch 7.7.0 — this presupposes that you have an application properly registered with an OIDC identity provider. .\/kibana\/config\/kibana.yml And then on the ElasticSearch node, update .\/elasticsearch\/config\/elasticsearch.yml And .\/elasticsearch\/plugins\/opendistro_security\/securityconfig\/config.yml Use securityadmin.sh to update — it helps if you update …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1588],"tags":[1590,1488,1489,1757,1742],"class_list":["post-9546","post","type-post","status-publish","format-standard","hentry","category-elk","tag-elasticsearch","tag-oauth","tag-oauth2","tag-opendistro","tag-openid"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/9546","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=9546"}],"version-history":[{"count":2,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/9546\/revisions"}],"predecessor-version":[{"id":9549,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/9546\/revisions\/9549"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=9546"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=9546"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=9546"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}