Skip to content

Connecting SEAL Elastic Stack to an OIDC Provider


  1. In order that OIDC works correctly, the Java that runs Elasticsearch has to trust the identity provider's certificate. Otherwise you have to import the CA certificate into Java's cacerts truststore:

    sudo /opt/seal/seal-elasticsearch/jdk/bin/keytool -importcert -noprompt -trustcacerts -alias CustomerCA -file "ca.pem" -keystore cacerts -storepass changeit
    
  2. In the Elasticsearch internal keystore, add the client secret for Elasticsearch:

    sudo -u seal ES_PATH_CONF=/opt/seal/etc/seal-elasticsearch /opt/seal/seal-elasticsearch/bin/elasticsearch-keystore add xpack.security.authc.realms.oidc.cloud-oidc.rp.client_secret
    The elasticsearch keystore does not exist. Do you want to create it? [y/N]y
    Enter value for xpack.security.authc.realms.oidc.cloud-oidc.rp.client_secret:
    
  3. Add the following lines to /opt/seal/etc/seal-elasticsearch/elasticsearch.yml, example is Azure AD:

    node.name: <fqdn>
    network.host: 0.0.0.0
    discovery.type: single-node
    xpack.security.enabled: true
    xpack.security.authc.token.enabled: true
    xpack:
      security:
        authc:
          realms:
            native:
              native1:
                order: 0
            oidc:
              some-oidc:
                order: 2
                rp.client_id: "<client-id>"
                rp.response_type: code
                rp.redirect_uri: "https://<kibana-uri>:5601/api/security/v1/oidc"
                op.issuer: "https://login.microsoftonline.com/.../v2.0"
                op.authorization_endpoint: "https://login.microsoftonline.com/.../oauth2/ v2.0/authorize"
                op.token_endpoint: "https://login.microsoftonline.com/.../oauth2/v2.0/ token"
                op.jwkset_path: "https://login.microsoftonline.com/.../discovery/v2.0/keys"
                op.userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo"
                op.endsession_endpoint: "https://login.microsoftonline.com/.../oauth2/v2.0/logout"
                rp.post_logout_redirect_uri: "https://<kibana-uri>:5601/logged_out"
                rp.requested_scopes: ["openid", "email", "profile"]
                claims.principal: preferred_username
                claims.name: name
                claims.groups: roles
    

    The native realm in the above example is not required for a pure OIDC setup. This realm is needed to create internal users in Kibana.

  4. Add the following lines to /opt/seal/etc/kibana.yml:

    xpack.security.authProviders: [oidc, basic]
    xpack.security.authc.oidc.realm: "some-oidc"
    server.xsrf.whitelist: [/api/security/v1/oidc]
    

Back to top