As a pre-requisite we need to register a new app in Azure AD, note down some properties, and generate a Client Secret.
- Register an app in Azure Active Directory.
- Note its Application (client) ID
- Note the Directory (tenant) ID
- Generate a New Client Secret.
elasticsearch.yml
xpack:
security:
authc:
realms:
oidc:
cloud-oidc:
order: 2
rp.client_id: "<CLIENT_ID>"
rp.response_type: code
rp.redirect_uri: "https://<KIBANA_HOST>/api/security/v1/oidc"
op.issuer: "<OP_ISSUER>"
op.authorization_endpoint: "<OP_AUTH>"
op.token_endpoint: "<OP_TOKEN>"
op.jwkset_path: "<OP_JWKSET_PATH>"
op.userinfo_endpoint: "<OP_USERINFO>"
op.endsession_endpoint: "<OP_ENDSESSION>"
rp.post_logout_redirect_uri: "<KIBANA_HOST>/logged_out"
claims.principal: sub
Many of the missing values can be found in your tenant’s
.well-known/openid-configuration
endpoint. You can use your tenant ID to call it.
curl https://login.microsoftonline.com/<TENANT_ID>/v2.0/.well-known/openid-configuration | jq
{
"authorization_endpoint": "https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize",
"token_endpoint": "https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token",
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"private_key_jwt",
"client_secret_basic"
],
"jwks_uri": "https://login.microsoftonline.com/<TENANT_ID>/discovery/v2.0/keys",
"response_modes_supported": [
"query",
"fragment",
"form_post"
],
"subject_types_supported": [
"pairwise"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"http_logout_supported": true,
"frontchannel_logout_supported": true,
"end_session_endpoint": "https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/logout",
"response_types_supported": [
"code",
"id_token",
"code id_token",
"id_token token"
],
"scopes_supported": [
"openid",
"profile",
"email",
"offline_access"
],
"issuer": "https://login.microsoftonline.com/<TENANT_ID>/v2.0",
"claims_supported": [
"sub",
"iss",
"cloud_instance_name",
"cloud_instance_host_name",
"cloud_graph_host_name",
"msgraph_host",
"aud",
"exp",
"iat",
"auth_time",
"acr",
"nonce",
"preferred_username",
"name",
"tid",
"ver",
"at_hash",
"c_hash",
"email"
],
"request_uri_parameter_supported": false,
"userinfo_endpoint": "https://graph.microsoft.com/oidc/userinfo",
"tenant_region_scope": "EU",
"cloud_instance_name": "microsoftonline.com",
"cloud_graph_host_name": "graph.windows.net",
"msgraph_host": "graph.microsoft.com",
"rbac_url": "https://pas.windows.net"
}
Kibana needs to be told about its new auth provider, it’s Open ID Connect realm, and to whitelist calls to /api/security/v1/oidc
kibana.yml
xpack.security.authProviders: [oidc, basic]
xpack.security.authc.oidc.realm: "cloud-oidc"
server.xsrf.whitelist: [/api/security/v1/oidc]
Send the following request to your Elasticsearch instance.
PUT /_security/role_mapping/oidc-kibana
{
"roles": [ "kibana_user" ],
"enabled": true,
"rules": {
"field": { "realm.name": "cloud-oidc" }
}
}
This will map everyone authenticating from OIDC to the kibana_user
role. If this isn’t suitable then you will need to use a claim.groups
in the elasticsearch.yml
to be able to achieved more fine-grain control.
It’s critical that your OIDC realm be called cloud-oidc
otherwise nothing works.
You forgot to mention to add the Azure Application Client Secret to the Elasticsearch config with
elastistack-keystore add xpack.security.authc.realms.oidc.cloud-oidc.rp.client_secret
..