forked from OpenSecureCo/Demos
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathOpenSearch SAML
57 lines (44 loc) · 2.77 KB
/
OpenSearch SAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
In SAML settings, set Single sign on URL and the Audience URI (SP Entity ID). Enter the below kibana url as the Single sign on URL.
https://<kibana_base_url>:<kibana_port>/_opendistro/_security/saml/acs
Make sure to replace the kibana_base_url and kibana_port with your actual Kibana configuration as noted in the prerequisites. In my setup this is https://mydemo.opensecure.co:443
Add a string for the Audience URI. You can choose any name here. I used kibana-saml. You will use this name in the Elasticsearch Security plugin SAML config as the SP-entity-id.
You will pass the user’s group memberships from Okta to Elasticsearch using Okta’s group attribute statements. Set the Name to “Roles”. The name you choose must match the roles_key defined in Open Distro Security’s configuration. Click Next and Finish.
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: "basic"
challenge: false
authentication_backend:
type: "intern"
saml_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_url: https://opensecure.okta.com/app/exk1iwqp6Kq8yg5YX696/sso/saml/metadata
entity_id: http://www.okta.com/exk1iwqp6Kq8yg5YX696
sp:
entity_id: kibana-saml
kibana_url: https://mydemo.opensecure.co/
roles_key: Roles
exchange_key: '186ddd9598ccc1af98fba8db6281b5528eb06d7709edd2cf49a6f410d6379120'
authentication_backend:
type: noop
export JAVA_HOME=/usr/share/elasticsearch/jdk/ && /usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem
OR
cd /usr/share/elasticsearch/plugins/opendistro_security/tools/
./securityadmin.sh -cd ../securityconfig/ -icl -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin-key.pem
Kibana configuration
Since most of the SAML specific configuration is done in Open Distro Security, you can simply activate SAML in your kibana.yml by adding:
opendistro_security.auth.type: "saml"
In addition, you must whitelist the Kibana endpoint for validating the SAML assertions and the logout endpoint:
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]
In order to test your configuration, you must restart Kibana.
sudo systemctl restart kibana.service