Azure OpenID Login doesn't work

Elastic Stack Elasticsearch
1

Hi everyone.....

Unfortunately my azure openid configuration seems not to work.
I've verified the openid Authentication with OpenID Connect Playground and everything seems to be ok.

Also if I set only Realm check in Roles-Mapping the login seems to work. But if I want to specify a specific Roles Mapping it doesn't work anymore...

The claims.groups is working --> see on OpenID Connect Playground. The Group ID's are provided by Azure.

I configured a ROle Mapping like:

put /_security/role_mapping/
{
"roles": [ "Kibana-Admin" ],
"enabled": true,
"rules": { "all": [
{ "field": { "realm.name": "oidc1" } },
{ "field": { "groups": "99999999-9999-9999-9999-ece1896af683" } }
] }
}

If I check the Logs on Kibana I get these errors:
Nov 16 21:12:17 vm5293 kibana[904]: {"type":"log","@timestamp":"2020-11-16T20:12:17Z","tags":["debug","plugins","spaces"],"pid":904,"message":"SpacesClient.getAll(), using RBAC. Found 1 spaces"}
Nov 16 21:12:17 vm5293 kibana[904]: {"type":"log","@timestamp":"2020-11-16T20:12:17Z","tags":["debug","plugins","spaces"],"pid":904,"message":"SpacesClient.getAll(), authorized for 0 spaces, derived from ES privilege check: {"kibana":[{"resource":"default","privilege":"login:","authorized":false}],"elasticsearch":{"cluster":,"index":{}}}"}
Nov 16 21:12:17 vm5293 kibana[904]: {"type":"log","@timestamp":"2020-11-16T20:12:17Z","tags":["debug","plugins","spaces"],"pid":904,"message":"SpacesClient.getAll(), using RBAC. returning 403/Forbidden. Not authorized for any spaces for any purpose."}
Nov 16 21:12:17 vm5293 kibana[904]: {"type":"log","@timestamp":"2020-11-16T20:12:17Z","tags":["debug","plugins","licensing"],"pid":904,"message":"Requesting Elasticsearch licensing API"}

Anyone do have any tipps on that?

Thanks Yours Stefan

2

It looks like your claims mapping is wrong. Have you read our docs regarding this ?

You can see that but we can't. In general, it;s always helpful to share your elasticsearch realm configuration at least. Also an example of how Azure AD sends the groups in the ID token as a claim might be useful.

3

Hopefully this helps in resolving the issue.. I know maybe it is not ideal to use groupid, but the Group names contain Spaces, which also not really optimal...

Claim Information:

image
image410×585 51.8 KB

Realm Configuration:

image
image752×279 40.6 KB

Kibana.yml:
image

4

Please don't post images of text as they are hard to read, may not display correctly for everyone, and are not searchable.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

5

As you can see in your ID Token, the name of the claim that carries the group information is groups, so according to our docs that I referenced above, your configuration should be

claims.groups: groups
6

Hi Ioannis,

this was the problem. I fixed it and it is working now. The problem on this claims.groups: groups is, that you'll find many different versions on the web. Depending also on the app you like to use with openid on azure...

So thank you very much... it is working now, I've tested it..

7

The value of this setting depends on the OP that is used and how it is configured to release the group information ( in which claim ) so there is not a single truth / right configuration for us to point out. We try to explain what needs to be configured and how in our docs so that users can set the value as needed.

Glad this worked, cheers !

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.