Connecting SEAL Elastic Stack to an OIDC Provider

---

1. In order that OIDC works correctly, the Java that runs Elasticsearch has to trust the identity provider's certificate. Otherwise you have to import the CA certificate into Java's cacerts truststore:

   & "C:\Program Files\SEAL Systems\seal-elasticsearch\jdk\bin\keytool" -importcert -noprompt -trustcacerts -alias CustomerCA -file "ca.pem" -keystore cacerts -storepass changeit
   

2. Change to the following directory:

   cd "C:\Program Files\SEAL Systems\seal-elasticsearch\bin"
   

3. In the Elasticsearch internal keystore, add the client secret for Elasticsearch:

   .\elasticsearch-keystore add xpack.security.authc.realms.oidc.cloud-oidc.rp.client_secret
   The elasticsearch keystore does not exist. Do you want to create it? [y/N]y
   Created elasticsearch keystore in C:\ProgramData\SEAL Systems\config\seal-elasticsearch
   Enter value for xpack.security.authc.realms.oidc.cloud-oidc.rp.client_secret:
   

4. Add the following lines to C:\ProgramData\SEAL Systems\config\seal-elasticsearch\elasticsearch.yml, example is Azure AD:

   node.name: <fqdn>
   network.host: 0.0.0.0
   discovery.type: single-node
   xpack.security.enabled: true
   xpack.security.authc.token.enabled: true
   xpack:
     security:
       authc:
         realms:
           native:
             native1:
               order: 0
           oidc:
             some-oidc:
               order: 2
               rp.client_id: "<client-id>"
               rp.response_type: code
               rp.redirect_uri: "https://<kibana-uri>:5601/api/security/v1/oidc"
               op.issuer: "https://login.microsoftonline.com/.../v2.0"
               op.authorization_endpoint: "https://login.microsoftonline.com/.../oauth2/ v2.0/authorize"
               op.token_endpoint: "https://login.microsoftonline.com/.../oauth2/v2.0/ token"
               op.jwkset_path: "https://login.microsoftonline.com/.../discovery/v2.0/keys"
               op.userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo"
               op.endsession_endpoint: "https://login.microsoftonline.com/.../oauth2/v2.0/logout"
               rp.post_logout_redirect_uri: "https://<kibana-uri>:5601/logged_out"
               rp.requested_scopes: ["openid", "email", "profile"]
               claims.principal: preferred_username
               claims.name: name
               claims.groups: roles
   

   The native realm in the above example is not required for a pure OIDC setup. This realm is needed to create internal users in Kibana.

5. Add the following lines toC:\ProgramData\SEAL Systems\config\kibana.yml:

   xpack.security.authProviders: [oidc, basic]
   xpack.security.authc.oidc.realm: "some-oidc"
   server.xsrf.whitelist: [/api/security/v1/oidc]
   

---