Connecting SEAL Elastic Stack to an OIDC Provider¶
-
In order that OIDC works correctly, the Java that runs Elasticsearch has to trust the identity provider's certificate. Otherwise you have to import the CA certificate into Java's
cacerts
truststore:& "C:\Program Files\SEAL Systems\seal-elasticsearch\jdk\bin\keytool" -importcert -noprompt -trustcacerts -alias CustomerCA -file "ca.pem" -keystore cacerts -storepass changeit
-
Change to the following directory:
cd "C:\Program Files\SEAL Systems\seal-elasticsearch\bin"
-
In the Elasticsearch internal keystore, add the client secret for Elasticsearch:
.\elasticsearch-keystore add xpack.security.authc.realms.oidc.cloud-oidc.rp.client_secret The elasticsearch keystore does not exist. Do you want to create it? [y/N]y Created elasticsearch keystore in C:\ProgramData\SEAL Systems\config\seal-elasticsearch Enter value for xpack.security.authc.realms.oidc.cloud-oidc.rp.client_secret:
-
Add the following lines to
C:\ProgramData\SEAL Systems\config\seal-elasticsearch\elasticsearch.yml
, example is Azure AD:node.name: <fqdn> network.host: 0.0.0.0 discovery.type: single-node xpack.security.enabled: true xpack.security.authc.token.enabled: true xpack: security: authc: realms: native: native1: order: 0 oidc: some-oidc: order: 2 rp.client_id: "<client-id>" rp.response_type: code rp.redirect_uri: "https://<kibana-uri>:5601/api/security/v1/oidc" op.issuer: "https://login.microsoftonline.com/.../v2.0" op.authorization_endpoint: "https://login.microsoftonline.com/.../oauth2/ v2.0/authorize" op.token_endpoint: "https://login.microsoftonline.com/.../oauth2/v2.0/ token" op.jwkset_path: "https://login.microsoftonline.com/.../discovery/v2.0/keys" op.userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo" op.endsession_endpoint: "https://login.microsoftonline.com/.../oauth2/v2.0/logout" rp.post_logout_redirect_uri: "https://<kibana-uri>:5601/logged_out" rp.requested_scopes: ["openid", "email", "profile"] claims.principal: preferred_username claims.name: name claims.groups: roles
The
native
realm in the above example is not required for a pure OIDC setup. This realm is needed to create internal users in Kibana. -
Add the following lines to
C:\ProgramData\SEAL Systems\config\kibana.yml
:xpack.security.authProviders: [oidc, basic] xpack.security.authc.oidc.realm: "some-oidc" server.xsrf.whitelist: [/api/security/v1/oidc]