Hi, we have configured Entra App for OIDC with the correct redirect uri, and correct group claim. I want the OIDC configuration to check the claim if I am a part of a specific AD group. Client secret is also stored in keystore. I have created a role mapping specifying the realm and the ID of the ad group.
The OIDC configuration
oidc.oidc1:
order: 2
rp.client_id: "client_id"
rp.response_type: "code"
#rp.requested_scopes: ["openid", "email", "profile"]
rp.redirect_uri: "<KIBANA_URL>/api/security/oidc/callback"
op.issuer: "https://login.microsoftonline.com/<TENANT_ID>/v2.0"
op.authorization_endpoint: "https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize"
op.token_endpoint: "https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token"
op.endsession_endpoint: "https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/logout"
op.jwkset_path: "https://login.microsoftonline.com/<TENANT_ID>/discovery/v2.0/keys"
op.userinfo_endpoint: "https://graph.microsoft.com/oidc/userinfo"
rp.post_logout_redirect_uri: "<KIBANA_URL>/logged_out"
claims.principal: email
claims.groups: groups
The Kibana config
xpack.security.authc.providers:
oidc.oidc1:
order: 0
realm: oidc1
description: "Sign in with Entra ID (SSO)"
basic.basic1:
order: 1
Role mapping
role_mapping:
enabled: true
roles:
- log_reader
rules:
all:
- field: { realm.name: "oidc1" }
- field: { groups: "AD GROUP OBJECT ID" }
Microsoft graph permission on the Entra app
email - delegated permission
Group.Read.All - application permission
GroupMember.Read.All - delegated permission
openid - delegated permission
profile - delegated permission
User.Read - delegated permission
User.ReadBasic.All - delegated permission
When I log in, I get redirected to login.microsoftonline.com to fill in user credentials. After that I get redirected to kibana again, but with a msg=UNAUTHENTICATED and a display text "Try logging in again, and if the problem persists, contact your system administrator".
I have enabled trace, but cant see that the OIDC configuration is being triggered at all.
PUT _cluster/settings
{
"transient": {
"logger.org.elasticsearch.xpack.security.authc": "trace"
}
}
Any idea what I'm doing wrong?
UPDATE:
I get these errors when I comment out scope and set claims.principal:sub
Failed to consume the OpenIdConnectToken
Authentication to realm oidc1 failed - Failed to authenticate user with OpenID Connect (Caused by org.elasticsearch.ElasticsearchSecurityException: Failed to exchange code for Id Token using the Token Endpoint