Azure active directory integration with elasticsearch

Elastic Stack Elasticsearch
1

Hello,

I have elasticsearch server hosted on virtual machine in azure cloud. I have an azure default directory and users added to it. I want to login to elasticsearch using credentials for the users in active directory. I tried the setup by adding realm in elasticsearch configuration as given below but unable to achieve it. Getting

An error occurred while attempting to establish a connection to server detaropwmail2com.onmicrosoft.com/127.0.0.1:636: ConnectException(Connection refused), ldapSDKVersion=4.0.8, revision=28812

config
xpack:
security:
authc:
realms:
active_directory:
my_ad:
order: 0
domain_name: detaropwmail2com.onmicrosoft.com
url: ldap://detaropwmail2com.onmicrosoft.com:636

2

Elasticsearch can't connect to your LDAP server at the URL you configured it to do so.

  • Is this the correct hostname ?
  • Is this the correct port and protocol ? 636 is most commonly used for ldap over TLS (ldaps), but you have ldap:// there instead
  • Is there network connectivity between your Azure VM where elastocsearch runs and your azure directory server ?
3
  1. I tried using default url but same error(i.e without specifying url in config)
  2. detaropwmail2com.onmicrosoft.com this is the domain displayed on active directory defaults directory page
  3. As of now I don't have any idea about connectivity between elasticsearch server and active directory server, can you guide me how to establish that?
4

This is information specific to your Azure VM and Azure Active Directory and I'm afraid I can't be much of help as I'm not familiar.

I'd try and figure out what the URL for accessing your "active directory defaults directory" either from Azure documentation or their support. Once you have this, you can check connectivity with a simple test, curl handles ldap(s):// URLs, you could for example do a

curl ldap://<the_hostname_you_found>:<the_port_number_you_found>

and see if this fails or not.

5

Thanks @ikakavas will check it

6

I am able to authenticate the user but not the role assigned to it in role_mapping.yml file. Getting following error

{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [sanket07@detaropwmail2com.onmicrosoft.com]"}],"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [sanket07@detaropwmail2com.onmicrosoft.com]"},"status":403}

AD Domain service : pros*.onmicrosoft.com
Azure AD default : detaropwmail2com.onmicrosoft.com
users:
name: sanket username: sanket07

role_mapping.yml

superuser:
  - "cn=sanket07,dc=prospera,dc=onmicrosoft,dc=com"

elasticsearch.yml

xpack:
  security:
    authc:
      realms:
        active_directory:
          my_ad:
            order: 0
            domain_name: prospera.onmicrosoft.com
            files:
              role_mapping: "/etc/elasticsearch/role_mapping.yml"
7

I can only imagine that the DN of your user in your AD is not cn=sanket07,dc=prospera,dc=onmicrosoft,dc=com.

You need to figure out what the DN of your user is and use that in the configuration. The easiest way to do this is from within your Active Directory instance, so please try this first.

If you can't figure this out from AD, then you could enable extra logging in elasticsearch and specifically set

org.elasticsearch.xpack.security.authc.support.mapper

and

org.elasticsearch.xpack.security.authc.ldap

to TRACE and look at the Elasticsearch logs, as these will contain the information retrieved for your user from AD ( and the DN among them )

8

Thanks a ton @ikakavas!!!
Enabled the logs and found out the correct DN
It worked!!:+1:

9

Hi,
any idea of integrating azure b2c active directory with elasticsearch??

10

Hi,

I have no idea what this question means. Please add necessary information and details in your questions, this will make it considerably easier for people in these forums to assist you.

  • What is b2c active directory ?
  • What do you mean by "integrating" ?
11

B2C active directory allows users to login using identity providers like amazon, facebook etc.
I want to authenticate elasticsearch using these accounts and not the predefined users as I did it in active directory

12

It looks like Azure AD B2C can operate as an OpenID Connect Provider, so it looks like you could Elasticsearch's OpenID Connect authentication realm for this

13

Now i am able to redirect kibana to login page but getting below error in elasticsearch logs

[Elasticsearch] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[SAML content is in-response-to _a5e013e54993435826399194d0d04aa0b87d685f but expected one of [_08363809bbcab6ae5fd6f32673a3eea7b38bec09] ])

14

[WARN ][o.e.x.s.a.AuthenticationService] [Elasticsearch] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[Failed to parse SAML message]; nested: SAXParseException[cvc-complex-type.2.4.a: Invalid content was found starting with element 'IsPolicySpecificError'. One of '{"urn:oasis:names:tc:SAML:2.0:protocol":StatusDetail}' is expected.];)

After enabling trace logs

15

What should be the reply URL set to for the elasticsearch application in azure?

current reply urls:

https://52.186.177.140:5601/
https://52.186.177.140:5601/api/security/v1/saml
16

You should share a larger part of the logs, preferably one that contains the message the Azure AD is sending , but this doesn't look like a SAML Response

I have no idea what reply URL is in the context of the "elasticsearch application in Azure" so I can't help with that. If you want to share more details and information we might get to the bottom of this, but this is not a standard piece of information we have the answer for ready..

17

This is the log generated when I try to signup , user is registered in active directory but
getting unable to authenticate user error on kibana dashboard

 [2019-11-01T06:33:25,613][TRACE][o.e.x.s.a.s.SamlRealm    ] [Elasticsearch] Constructed SAML Authentication Request: <?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://52.186.177.140:5601/api/security/v1/saml" Destination="https://elasticsso.b2clogin.com/elasticsso.onmicrosoft.com/B2C_1A_signup_signin_SAML/samlp/sso/login" ID="_4a28414ef2a9100cdad84c795543a5a9164534ca" IssueInstant="2019-11-01T06:33:25.595Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
      <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://52.186.177.140:5601/</saml2:Issuer>
      <saml2p:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
    </saml2p:AuthnRequest>

If i try to use exsting credentials then i get invalid username or password and no logs are generated

18 
xpack.security.authc.realms:
   saml:
     saml1:
       order: 0
       idp.metadata.path: "https://elasticsso.b2clogin.com/elasticsso.onmicrosoft.com/B2C_1A_signup_signin_SAML/Samlp/metadata"
       idp.entity_id: "https://elasticsso.b2clogin.com/elasticsso.onmicrosoft.com/B2C_1A_signup_signin_SAML"
       sp.entity_id:  "https://52.186.177.140:5601/"
       sp.acs: "https://52.186.177.140:5601/api/security/v1/saml"
       sp.logout: "https://52.186.177.140:5601/logout"
       attributes.principal: "email:persistent"

I am unable to figure out the significance of attributes.principal attribute and from where to get the value for that attribute?

19

Hi @ikakavas

Now i am able to authenticate using saml realm but getting 403 forbidden error as roles are not assigned.

How to assign roles as I can't use the api for role mapping as the elastic user won't work now?

Do i need to disable realm, add role mapping and then again enable realm?

20

https://www.elastic.co/guide/en/elasticsearch/reference/current/saml-kibana.html#saml-kibana-basic