Skip to content

Connecting SEAL Elastic Stack to an OIDC Provider


  1. In order that OIDC works correctly, the Java that runs Elasticsearch has to trust the identity provider's certificate. Otherwise you have to import the CA certificate into Java's cacerts truststore:

    cd /usr/share/elasticsearch/jdk/lib/security
    ../../bin/keytool -import -noprompt -trustcacerts -alias CustomerCA -file "ca.pem" -keystore cacerts -storepass changeit
    
  2. Add the client secret for Elasticsearch to the Elasticsearch internal keystore:

    In /usr/share/elasticsearch/bin:

    ./elasticsearch-keystore add xpack.security.authc.realms.oidc.cloud-oidc.rp.client_secret
    The elasticsearch keystore does not exist. Do you want to create it? [y/N]y
    Created elasticsearch keystore in C:\Program Files\Elastic\Elasticsearch\7.6.2\config
    Enter value for xpack.security.authc.realms.oidc.cloud-oidc.rp.client_secret:
    
  3. Add the following lines to elasticsearch.yml (examples for Azure AD):

    node.name: <fqdn>
    network.host: 0.0.0.0
    discovery.type: single-node
    xpack.security.enabled: true
    xpack.security.authc.token.enabled: true
    xpack:
      security:
        authc:
          realms:
            native:
              native1:
                order: 0
            oidc:
              some-oidc:
                order: 2
                rp.client_id: "<client-id>"
                rp.response_type: code
                rp.redirect_uri: "https://<kibana-uri>:5601/api/security/v1/oidc"
                op.issuer: "https://login.microsoftonline.com/.../v2.0"
                op.authorization_endpoint: "https://login.microsoftonline.com/.../oauth2/ v2.0/authorize"
                op.token_endpoint: "https://login.microsoftonline.com/.../oauth2/v2.0/ token"
                op.jwkset_path: "https://login.microsoftonline.com/.../discovery/v2.0/keys"
                op.userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo"
                op.endsession_endpoint: "https://login.microsoftonline.com/.../oauth2/v2.0/logout"
                rp.post_logout_redirect_uri: "https://<kibana-uri>:5601/logged_out"
                rp.requested_scopes: ["openid", "email", "profile"]
                claims.principal: preferred_username
                claims.name: name
                claims.groups: roles
    

    The native realm in the above example is not required for a pure OIDC setup. This realm is needed to create internal users in Kibana.

  4. Add the following lines to kibana.yml:

    xpack.security.authProviders: [oidc, basic]
    xpack.security.authc.oidc.realm: "some-oidc"
    server.xsrf.whitelist: [/api/security/v1/oidc]
    

Back to top