I'm running the entire stack on Windows and will integrate SSO into the environment.
It works as expected except one thing, when the Elasticsearch service needs to be stopped it hangs for some reason.
If I remove below lines and the part from the keystore, the service behaves as expected (reproduced in two different environments and tried in Elasticsearch 7.9.1 as well as 7.10.2).
Elasticsearch.yml:
oidc.oidc-adfs:
order: 2
client_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
response_type: code
requested_scopes: ["openid",'allatclaims']
rp.redirect_uri: 'https://kibana.domain.local/api/security/oidc/callback'
op.issuer: 'https://adfs.domain.local/adfs'
op.authorization_endpoint: 'https://adfs.domain.local/adfs/oauth2/authorize/'
op.token_endpoint: 'https://adfs.domain.local/adfs/oauth2/token/'
op.endsession_endpoint: 'https://adfs.domain.local/adfs/oauth2/logout'
rp.post_logout_redirect_uri: 'https://kibana.domain.local/security/logged_out'
op.jwkset_path: 'https://adfs.domain.local/adfs/discovery/keys'
claims.principal: sub
claims.groups: group
claims.name: commonname
ssl.certificate_authorities: D:\Elasticsearch\config\chain.crt
This is also included in the keystore:
xpack.security.authc.realms.oidc.oidc-adfs.rp.client_secret
Elasticcluster.log (when stopping service):
[INFO ][o.e.n.Node ] [es1.domain.local] stopping ...
[INFO ][o.e.x.w.WatcherService ] [es1.domain.local] stopping watch service, reason [shutdown initiated]
[INFO ][o.e.x.w.WatcherLifeCycleService] [es1.domain.local] watcher has stopped and shutdown
[INFO ][o.e.x.m.p.l.CppLogMessageHandler] [es1.domain.local] [controller/8132] [Main.cc@154] ML controller exiting
[INFO ][o.e.x.m.p.NativeController] [es1.domain.local] Native controller process has stopped - no new native processes can be started
[INFO ][o.e.n.Node ] [es1.domain.local] stopped
[INFO ][o.e.n.Node ] [es1.domain.local] closing ...
[INFO ][o.e.n.Node ] [es1.domain.local] closed
... but the process and service is still running and trying to stop and only way to shut it down is to kill the process...
The service is installed with the provided elasticsearch-service.bat
This can't be an expected behavior, what am I missing?