Search Tutorials


Elasticsearch 8 Tutorial - Integrate Azure AD OIDC in Elasticsearch and Kibana | JavaInUse

Elasticsearch 8 Tutorial - Integrate Azure AD OIDC in Elasticsearch and Kibana

In previous tutorial we had configured elasticsearch and kibana with credentials and ssl. In this tutorial, we will modifying the example to implement Azure AD OIDC (OpenID Connect) in Elasticsearch and Kibana to provide secure user access.
Integrate Azure AD OIDC in Elasticsearch and Kibana

Elasticsearch 8 Security Tutorials

Elasticsearch 8 Security Tutorial - Set password Elasticsearch 8 Security Tutorial - Configuring SSL, TLS, and HTTPS Elasticsearch 8 Security Tutorial - Store credentials using keystore Elasticsearch 8 Tutorial - Configuring Elasticsearch and Kibana with Credentials and SSL Elasticsearch 8 Tutorial - Integrate Azure AD OIDC in Elasticsearch and Kibana Elasticsearch 8 Tutorial - Configuring Elasticsearch SSL/HTTPS with CA issued Digital Certificate

Video

This tutorial is explained in the below Youtube Video.

Setting up OpenID Connect with Azure

  1. Sign in to the Azure portal (portal.azure.com).
  2. Navigate to "Azure Active Directory" > "App registrations".
  3. Click on "New registration".
  4. Provide a name for your application, e.g., "Elasticsearch".
    Elasticsearch Setting up OpenID Connect with Azure
  5. Select who can use the application:
    • Accounts in this organizational directory only (Single tenant)
    • Accounts in any organizational directory (Multi-tenant)
    • Personal Microsoft accounts only
    Choose based on your requirements.
  6. For "Redirect URI":
    • Select "Web" as the platform.
    • Enter the URL of your Elasticsearch server followed by "/api/security/oidc/callback". For example: "https://localhost:5601/api/security/v1/oidc".
  7. Click "Register".
  8. After registration, note down the following information:
    • Application (client) ID
    • Directory (tenant) ID
    You'll need these for configuring Elasticsearch.
    Elasticsearch Setting up OpenID Application (client) ID Azure
  9. Go to "Certificates & secrets" in the left menu.
  10. Click "New client secret", provide a description, and choose an expiration period.
  11. Copy the generated client secret value immediately. You won't be able to see it again.
    Elasticsearch Setting up OpenID API permissions Azure
  12. Go to "API permissions" in the left menu.
  13. Click "Add a permission" > "Microsoft Graph" > "Delegated permissions".
  14. Add these permissions:
    • email
    • openid
    • profile
    • User.Read
  15. Click "Add permissions" to save.

  16. Elasticsearch Setting up OpenID Secret Azure

Integrate Azure AD OIDC in Elasticsearch and Kibana

Configuring Elasticsearch

Modify the elasticsearch configuration file (elasticsearch.yml) as follows:

# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true

xpack.security.http.ssl:
  enabled: true
  certificate: certs/elastic/elastic.crt
  key: certs/elastic/elastic.key

xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12

cluster.initial_master_nodes: ["LAPTOP-0ELSI3NO"]

http.host: 0.0.0.0

xpack.security.authc.realms.oidc.oidc1:
  order: 2
  enabled: true
  rp.client_id: <Application (client) ID>
  rp.response_type: "code"
  rp.requested_scopes: ["openid", "email"]
  rp.redirect_uri: "https://localhost:5601/api/security/oidc/callback"
  op.issuer: "https://login.microsoftonline.com/<Directory (tenant) ID>/v2.0"
  op.authorization_endpoint: "https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/authorize"
  op.token_endpoint: "https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/token"
  op.userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo"
  op.endsession_endpoint: "https://login.microsoftonline.com/<Directory (tenant) ID>/oauth2/v2.0/logout"
  op.jwkset_path: "https://login.microsoftonline.com/<Directory (tenant) ID>/discovery/v2.0/keys"
  rp.post_logout_redirect_uri: "https://localhost:5601/logged_out"
  claims.principal: email
  
xpack.security.authc.token.enabled: true  




Let's break down the OIDC configuration:

  • order: 2: Sets the priority of this authentication realm.
  • enabled: true: Enables this OIDC realm.
  • rp.client_id: Your Azure AD application (client) ID.
  • rp.response_type: "code": Specifies the OAuth 2.0 flow type (authorization code flow).
  • rp.requested_scopes: The OAuth scopes to request from Azure AD.
  • rp.redirect_uri: The callback URL registered in Azure AD.
  • op.issuer: The Azure AD token issuer URL.
  • op.authorization_endpoint: Azure AD's authorization endpoint.
  • op.token_endpoint: Azure AD's token endpoint.
  • op.userinfo_endpoint: The endpoint to fetch user information.
  • op.endsession_endpoint: Azure AD's logout endpoint.
  • op.jwkset_path: The path to Azure AD's JSON Web Key Set for token validation.
  • rp.post_logout_redirect_uri: Where to redirect after logout.
  • claims.principal: email: Uses the email claim as the principal (username) in Elasticsearch.
Next add the secret - xpack.security.authc.realms.oidc.oidc1.rp.client_secret to the elasticsearch keystore.
 .\elasticsearch-keystore add xpack.security.authc.realms.oidc.oidc1.rp.client_secret

elasticsearch-keystore add xpack.security.authc.realms.oidc.oidc1.rp.client_secret

Start Elasticsearch after making these changes.

Configuring Kibana

Modify the Kibana configuration file (kibana.yml) as follows:

server.host: "0.0.0.0"

server.ssl.enabled: true
server.ssl.certificate: D:\elk\ad\elasticsearch-8.15.2\config\certs\kibana\kibana.crt
server.ssl.key: D:\elk\ad\elasticsearch-8.15.2\config\certs\kibana\kibana.key
elasticsearch.ssl.verificationMode: none

elasticsearch.hosts: ["https://127.0.0.1:9200"]
elasticsearch.username: "kibana"
elasticsearch.password: "kibana"

xpack.security.authc.providers:
  oidc.oidc1:
    order: 0
    realm: oidc1
    description: "Log in with Azure"
  basic.basic1:
    order: 1

Let's explain the OIDC-related Kibana configuration:

  • xpack.security.authc.providers: Configures authentication providers for Kibana.
  • oidc.oidc1: Defines an OIDC provider named "oidc1".
  • order: 0: Sets this as the primary authentication method.
  • realm: oidc1: Specifies which Elasticsearch OIDC realm to use.
  • description: "Log in with Azure": The text shown on the login button.
  • basic.basic1: Keeps the basic authentication as a fallback option.

Start Kibana after making these changes.

Testing the Integration

  1. Go to https://localhost:5601. You should see the "Login with Azure" option for login. Kibana Setting up OpenID Azure
  2. For now, use "Login with Elasticsearch". Use the elastic user credentials.
  3. Go to Dev Tools in Kibana and run the following command to set up role mapping:
POST /_security/role_mapping/oidc_kibana
{
	"enabled": true,
	"roles": [ "superuser" ],
	"rules" : {
	"all" : [
	{
		"field" : {
		"realm.name" : "oidc1"
			}
	},
	{
		"field" : {
		"username" : [
		"<email_address_of_user>"
	]
	}
	}
	]
	},
	"metadata": { "version": 1 }
}

Replace "<email_address_of_user>" with the email address of the Azure AD user you want to grant access to.

Kibana Setting up OpenID Azure

Logging in with Azure AD

  1. Log out of Kibana.
  2. On the login page, select "Login with Azure".
  3. You will be redirected to the Microsoft login page.
  4. Kibana Setting up OpenID Azure
  5. Enter your Azure AD credentials.
  6. After successful authentication, you will be logged into Kibana using your Azure AD account.

Conclusion

You have successfully integrated Azure AD OIDC with Elasticsearch and Kibana. This setup allows users to authenticate using their Azure AD credentials, providing a secure and seamless login experience. Remember to manage your role mappings carefully to ensure appropriate access levels for your users.