Skip to content

Connecting SEAL Elastic Stack to an OIDC Provider

??? MUSS NOCH ÜBERARBEITET WERDEN!!!

  1. In order for OIDC to work, the Java that runs Elastic must trust the identity provider's certificate. If that is not the case, the CA certificate must be imported into Java's cacerts truststore:

    cd /usr/share/elasticsearch/jdk/lib/security
../../bin/keytool -import -noprompt -trustcacerts -alias CustomerCA -file "ca.pem" -keystore cacerts -storepass changeit

  2. The client secret for Elastic has to be added to the Elastic internal keystore:

    In /usr/share/elasticsearch/bin:

    ./elasticsearch-keystore add xpack.security.authc.realms.oidc.cloud-oidc.rp.client_secret
The elasticsearch keystore does not exist. Do you want to create it? [y/N]y
Created elasticsearch keystore in C:\Program Files\Elastic\Elasticsearch\7.6.2\config
Enter value for xpack.security.authc.realms.oidc.cloud-oidc.rp.client_secret:

  3. Add the following lines to elasticsearch.yml (examples for Azure AD):

    node.name: <fqdn>
network.host: 0.0.0.0
discovery.type: single-node
xpack.security.enabled: true
xpack.security.authc.token.enabled: true
xpack:
  security:
    authc:
      realms:
        native:
          native1:
            order: 0
        oidc:
          some-oidc:
            order: 2
            rp.client_id: "<client-id>"
            rp.response_type: code
            rp.redirect_uri: "https://<kibana-uri>:5601/api/security/v1/oidc"
            op.issuer: "https://login.microsoftonline.com/.../v2.0"
            op.authorization_endpoint: "https://login.microsoftonline.com/.../oauth2/ v2.0/authorize"
            op.token_endpoint: "https://login.microsoftonline.com/.../oauth2/v2.0/ token"
            op.jwkset_path: "https://login.microsoftonline.com/.../discovery/v2.0/keys"
            op.userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo"
            op.endsession_endpoint: "https://login.microsoftonline.com/.../oauth2/v2.0/logout"
            rp.post_logout_redirect_uri: "https://<kibana-uri>:5601/logged_out"
            rp.requested_scopes: ["openid", "email", "profile"]
            claims.principal: preferred_username
            claims.name: name
            claims.groups: roles

    The native realm above is used for internal users to be created in Kibana and is not required for a pure OIDC setup.

  4. Add the following lines to kibana.yml:

    xpack.security.authProviders: [oidc, basic]
xpack.security.authc.oidc.realm: "some-oidc"
server.xsrf.whitelist: [/api/security/v1/oidc]
Back to top