Skip to content

Connecting SEAL Elastic Stack to an OIDC Provider

  1. In order that OIDC works correctly, the Java that runs Elasticsearch has to trust the identity provider's certificate. Otherwise you have to import the CA certificate into Java's cacerts truststore:

    cd /usr/share/elasticsearch/jdk/lib/security
../../bin/keytool -import -noprompt -trustcacerts -alias CustomerCA -file "ca.pem" -keystore cacerts -storepass changeit

  2. Add the client secret for Elasticsearch to the Elasticsearch internal keystore:

    In /usr/share/elasticsearch/bin:

    ./elasticsearch-keystore add xpack.security.authc.realms.oidc.cloud-oidc.rp.client_secret
The elasticsearch keystore does not exist. Do you want to create it? [y/N]y
Created elasticsearch keystore in C:\Program Files\Elastic\Elasticsearch\7.6.2\config
Enter value for xpack.security.authc.realms.oidc.cloud-oidc.rp.client_secret:

  3. Add the following lines to elasticsearch.yml (examples for Azure AD):

    node.name: <fqdn>
network.host: 0.0.0.0
discovery.type: single-node
xpack.security.enabled: true
xpack.security.authc.token.enabled: true
xpack:
  security:
    authc:
      realms:
        native:
          native1:
            order: 0
        oidc:
          some-oidc:
            order: 2
            rp.client_id: "<client-id>"
            rp.response_type: code
            rp.redirect_uri: "https://<kibana-uri>:5601/api/security/v1/oidc"
            op.issuer: "https://login.microsoftonline.com/.../v2.0"
            op.authorization_endpoint: "https://login.microsoftonline.com/.../oauth2/ v2.0/authorize"
            op.token_endpoint: "https://login.microsoftonline.com/.../oauth2/v2.0/ token"
            op.jwkset_path: "https://login.microsoftonline.com/.../discovery/v2.0/keys"
            op.userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo"
            op.endsession_endpoint: "https://login.microsoftonline.com/.../oauth2/v2.0/logout"
            rp.post_logout_redirect_uri: "https://<kibana-uri>:5601/logged_out"
            rp.requested_scopes: ["openid", "email", "profile"]
            claims.principal: preferred_username
            claims.name: name
            claims.groups: roles

    The native realm in the above example is not required for a pure OIDC setup. This realm is needed to create internal users in Kibana.

  4. Add the following lines to kibana.yml:

    xpack.security.authProviders: [oidc, basic]
xpack.security.authc.oidc.realm: "some-oidc"
server.xsrf.whitelist: [/api/security/v1/oidc]
Back to top