Azure AD SSO setting behind a proxy not working

Ilter_Sag · November 7, 2023, 8:39pm

Hello,

I am trying to integrate Azure AD to Elasticsearch cluster behind a proxy. I tried the proxy parameter settings below but could not succeeded. You can find the log behind that post. It say it cannot access to microsoftonline.com but as we diagnose it is not trying over proxy setting. It is trying directly to Azure IP. If I try to ping that domain it is going over proxy. Elasticsearch is not trying that connectivity over proxy.

How I can force that to use proxy.

tested - not working:

sudo systemctl edit --full elastic-agent.service

[Service]

Environment="HTTPS_PROXY=https://my.proxy:8443"
Environment="HTTP_PROXY=http://my.proxy:8080"

tested - notworking :

http.proxy.host
http.proxy.port

tested - not working :

elastic+   13870  0.3  1.2 2541748 104148 ?      Ssl  20:24   0:03 /usr/share/elasticsearch/jdk/bin/java -Xms4m -Xmx64m -XX:+UseSerialGC -**Dhttps.proxyPort=3218 -Dhttps.proxyHost=PROXY_IP** -Dcli.name=server -Dcli.script=/usr/share/elasticsearch/bin/elasticsearch -Dcli.libs=lib/tools/server-cli -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/etc/elasticsearch -Des.distribution.type=deb -cp /usr/share/elasticsearch/lib/*:/usr/share/elasticsearch/lib/cli-launcher/* org.elasticsearch.launcher.CliToolLauncher -p /var/run/elasticsearch/elasticsearch.pid --quiet

23-11-07T20:08:45,218][DEBUG][o.e.x.s.a.s.SamlRealm    ] [AZLPELKSEARCH] Initializing OpenSAML
[2023-11-07T20:08:45,734][TRACE][o.e.x.t.t.s.TransformScheduler] [AZLPELKSEARCH] Processing scheduled tasks started
[2023-11-07T20:08:45,735][TRACE][o.e.x.t.t.s.TransformScheduler] [AZLPELKSEARCH] Looking for scheduled tasks to process finished, took 0ms
[2023-11-07T20:08:46,032][DEBUG][o.e.x.s.a.s.SamlRealm    ] [AZLPELKSEARCH] Initialized OpenSAML
[2023-11-07T20:08:46,036][DEBUG][o.e.x.c.s.SSLService     ] [AZLPELKSEARCH] SSL configuration [xpack.security.authc.realms.saml.kibana-realm.ssl] is [SslConfiguration[settingPrefix=, explicitlyConfigured=false, trustConfig=JDK-trusted-certs, keyConfig=empty-key-config, verificationMode=FULL, clientAuth=REQUIRED, ciphers=[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA], supportedProtocols=[TLSv1.3, TLSv1.2, TLSv1.1]]]
[2023-11-07T20:08:46,107][DEBUG][o.a.h.c.p.RequestAddCookies] [AZLPELKSEARCH] CookieSpec selected: default
[2023-11-07T20:08:46,112][DEBUG][o.a.h.c.p.RequestAuthCache] [AZLPELKSEARCH] Auth cache not set in the context
[2023-11-07T20:08:46,113][DEBUG][o.a.h.i.c.PoolingHttpClientConnectionManager] [AZLPELKSEARCH] Connection request: [route: {s}->https://login.microsoftonline.com:443][total available: 0; route allocated: 0 of 2; total allocated: 0 of 20]
[2023-11-07T20:08:46,122][DEBUG][o.a.h.i.c.PoolingHttpClientConnectionManager] [AZLPELKSEARCH] Connection leased: [id: 0][route: {s}->https://login.microsoftonline.com:443][total available: 0; route allocated: 1 of 2; total allocated: 1 of 20]
[2023-11-07T20:08:46,123][DEBUG][o.a.h.i.e.MainClientExec ] [AZLPELKSEARCH] Opening connection {s}->https://login.microsoftonline.com:443
[2023-11-07T20:08:46,130][DEBUG][o.a.h.i.c.DefaultHttpClientConnectionOperator] [AZLPELKSEARCH] Connecting to login.microsoftonline.com/20.190.177.21:443
[2023-11-07T20:08:46,130][DEBUG][o.a.h.c.s.SSLConnectionSocketFactory] [AZLPELKSEARCH] Connecting socket to login.microsoftonline.com/20.190.177.21:443 with timeout 0
[2023-11-07T20:08:46,736][TRACE][o.e.x.t.t.s.TransformScheduler] [AZLPELKSEARCH] Processing scheduled tasks started
[2023-11-07T20:08:46,736][TRACE][o.e.x.t.t.s.TransformScheduler] [AZLPELKSEARCH] Looking for scheduled tasks to process finished, took 0ms
[2023-11-07T20:08:47,736][TRACE][o.e.x.t.t.s.TransformScheduler] [AZLPELKSEARCH] Processing scheduled tasks started
[2023-11-07T20:08:47,737][TRACE][o.e.x.t.t.s.TransformScheduler] [AZLPELKSEARCH] Looking for scheduled tasks to process finished, took 0ms
[2023-11-07T20:08:47,999][TRACE][o.e.i.IndexingMemoryController] [AZLPELKSEARCH] total indexing heap bytes used [0b] vs indices.mem

after some tim it is getting timeout and network unreachable errors.

[2023-11-03T13:35:19,218][INFO ][o.a.h.i.e.RetryExec ] [AZLPELKSEARCH] I/O exception (java.net.SocketException) caught when processing request to {s}->https://login.microsoftonline.com:443: Network is unreachable
[2023-11-03T13:35:19,218][INFO ][o.a.h.i.e.RetryExec ] [AZLPELKSEARCH] Retrying request to {s}->[https://login.microsoftonline.com:443](https://login.microsoftonline.com/)

leandrojmp · November 7, 2023, 9:31pm

This would not work as these are the steps for Elastic Agent, not Elasticsearch.

Since you are trying to configure SSO with Azure AD, which is a paid feature, I suggest that you open a ticket with Support, I'm not sure that configuring this behind a proxy is supported.

TimV · November 7, 2023, 11:07pm

In this case, it is not supported.

It looks like you're trying to load SAML metadata over https, and we do not have proxy support for that.
Our recommendation in this case is to point the realm to a local file instead and have an external process that downloads the file as needed.

If you raise a ticket with support they can register your interest in having proxy support for this.

Ilter_Sag · November 9, 2023, 10:57am

What do you meen with that? If I use it from local how it will be fixing the access problem to login.microsoftonline.com

Ilter_Sag · December 6, 2023, 5:26am

Thanks for solution.

The problem was proxy and we enabled it, also as you said if we point the federation.xml to a local file it doesn't need to use network.

idp.metadata.path: /local/federation.xml

Ilter_Sag · December 6, 2023, 5:28am

I created an issue for that. It is not working behind a proxy.

https://github.com/elastic/elasticsearch/issues/102280

system · January 3, 2024, 5:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.