Elasticsearch 8 Tutorial - Integrate Azure AD OIDC in Elasticsearch and Kibana

Elasticsearch 8 Security Tutorials
Elasticsearch 8 Security Tutorial - Set password Elasticsearch 8 Security Tutorial - Configuring SSL, TLS, and HTTPS Elasticsearch 8 Security Tutorial - Store credentials using keystore Elasticsearch 8 Tutorial - Configuring Elasticsearch and Kibana with Credentials and SSL Elasticsearch 8 Tutorial - Integrate Azure AD OIDC in Elasticsearch and Kibana Elasticsearch 8 Tutorial - Configuring Elasticsearch SSL/HTTPS with CA issued Digital Certificate
Video
This tutorial is explained in the below Youtube Video.Setting up OpenID Connect with Azure
- Sign in to the Azure portal (portal.azure.com).
- Navigate to "Azure Active Directory" > "App registrations".
- Click on "New registration".
- Provide a name for your application, e.g., "Elasticsearch".
- Select who can use the application:
- Accounts in this organizational directory only (Single tenant)
- Accounts in any organizational directory (Multi-tenant)
- Personal Microsoft accounts only
- For "Redirect URI":
- Select "Web" as the platform.
- Enter the URL of your Elasticsearch server followed by "/api/security/oidc/callback". For example: "https://localhost:5601/api/security/v1/oidc".
- Click "Register".
- After registration, note down the following information:
- Application (client) ID
- Directory (tenant) ID
- Go to "Certificates & secrets" in the left menu.
- Click "New client secret", provide a description, and choose an expiration period.
- Copy the generated client secret value immediately. You won't be able to see it again.
- Go to "API permissions" in the left menu.
- Click "Add a permission" > "Microsoft Graph" > "Delegated permissions".
- Add these permissions:
- openid
- profile
- User.Read
- Click "Add permissions" to save.


Configuring Elasticsearch
Modify the elasticsearch configuration file (elasticsearch.yml) as follows:
# Enable security features xpack.security.enabled: true xpack.security.enrollment.enabled: true xpack.security.http.ssl: enabled: true certificate: certs/elastic/elastic.crt key: certs/elastic/elastic.key xpack.security.transport.ssl: enabled: true verification_mode: certificate keystore.path: certs/transport.p12 truststore.path: certs/transport.p12 cluster.initial_master_nodes: ["LAPTOP-0ELSI3NO"] http.host: 0.0.0.0 xpack.security.authc.realms.oidc.oidc1: order: 2 enabled: true rp.client_id: <Application (client) ID> rp.response_type: "code" rp.requested_scopes: ["openid", "email"] rp.redirect_uri: "https://localhost:5601/api/security/oidc/callback" op.issuer: "https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0" op.authorization_endpoint: "https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/authorize" op.token_endpoint: "https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/token" op.userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo" op.endsession_endpoint: "https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/logout" op.jwkset_path: "https://login.microsoftonline.com/<Directory (tenant) ID>/discovery/v2.0/keys" rp.post_logout_redirect_uri: "https://localhost:5601/logged_out" claims.principal: email xpack.security.authc.token.enabled: true