Skip to content

Connecting SEAL Elastic Stack to an OIDC Provider


  1. In order that OIDC works correctly, the Java that runs Elasticsearch has to trust the identity provider's certificate. Otherwise you have to import the CA certificate into Java's cacerts truststore:

    & "C:\Program Files\SEAL Systems\seal-elasticsearch\jdk\bin\keytool" -importcert -noprompt -trustcacerts -alias CustomerCA -file "ca.pem" -keystore cacerts -storepass changeit
    
  2. Change to the following directory:

    cd "C:\Program Files\SEAL Systems\seal-elasticsearch\bin"
    
  3. In the Elasticsearch internal keystore, add the client secret for Elasticsearch:

    .\elasticsearch-keystore add xpack.security.authc.realms.oidc.cloud-oidc.rp.client_secret
    The elasticsearch keystore does not exist. Do you want to create it? [y/N]y
    Created elasticsearch keystore in C:\ProgramData\SEAL Systems\config\seal-elasticsearch
    Enter value for xpack.security.authc.realms.oidc.cloud-oidc.rp.client_secret:
    
  4. Add the following lines to C:\ProgramData\SEAL Systems\config\seal-elasticsearch\elasticsearch.yml, example is Azure AD:

    node.name: <fqdn>
    network.host: 0.0.0.0
    discovery.type: single-node
    xpack.security.enabled: true
    xpack.security.authc.token.enabled: true
    xpack:
      security:
        authc:
          realms:
            native:
              native1:
                order: 0
            oidc:
              some-oidc:
                order: 2
                rp.client_id: "<client-id>"
                rp.response_type: code
                rp.redirect_uri: "https://<kibana-uri>:5601/api/security/v1/oidc"
                op.issuer: "https://login.microsoftonline.com/.../v2.0"
                op.authorization_endpoint: "https://login.microsoftonline.com/.../oauth2/ v2.0/authorize"
                op.token_endpoint: "https://login.microsoftonline.com/.../oauth2/v2.0/ token"
                op.jwkset_path: "https://login.microsoftonline.com/.../discovery/v2.0/keys"
                op.userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo"
                op.endsession_endpoint: "https://login.microsoftonline.com/.../oauth2/v2.0/logout"
                rp.post_logout_redirect_uri: "https://<kibana-uri>:5601/logged_out"
                rp.requested_scopes: ["openid", "email", "profile"]
                claims.principal: preferred_username
                claims.name: name
                claims.groups: roles
    

    The native realm in the above example is not required for a pure OIDC setup. This realm is needed to create internal users in Kibana.

  5. Add the following lines toC:\ProgramData\SEAL Systems\config\kibana.yml:

    xpack.security.authProviders: [oidc, basic]
    xpack.security.authc.oidc.realm: "some-oidc"
    server.xsrf.whitelist: [/api/security/v1/oidc]
    

Back to top