OIDC with Azure not logged in on Kibana

Hi all

My company is configuring SSO using OIDC on AZURE, everything looks fine but whenever user tries to authenticate, it takes them back to the to the login page. I have checked the logs, there are no errors and there are no errors on the web interface as well.

I am suspecting role mapping issues, I have tried all the settings for role mapping but no result.

Below is my Config on elasticsearch.yml:

xpack.security.authc.realms.oidc.oidc1:
  order: 2
  rp.client_id: "057b9390-a441-44f9-9275-44600dd52a77"
  rp.response_type: code
  rp.redirect_uri: "https://my-domain.com:5601/app/security/oidc/callback"
  op.issuer: "https://login.microsoftonline.com/9be35454-2258-4efc-85fb-3da619c8bdb3/v2.0"
  op.authorization_endpoint: "https://login.microsoftonline.com/9be35454-2258-4efc-85fb-3da619c8bdb3/oauth2/v2.0/authorize"
  op.token_endpoint: "https://login.microsoftonline.com/9be35454-2258-4efc-85fb-3da619c8bdb3/oauth2/v2.0/token"
  op.jwkset_path: "https://login.microsoftonline.com/9be35454-2258-4efc-85fb-3da619c8bdb3/discovery/v2.0/keys"
  op.endsession_endpoint: "https://login.microsoftonline.com/9be35454-2258-4efc-85fb-3da619c8bdb3/oauth2/v2.0/logout"
  rp.post_logout_redirect_uri: "https://my-domain.com:5601/security/logged_out"
  claims.principal: sub

and kibana.yml:

xpack.security.authc.providers:
  oidc.oidc1:
    order: 0
    realm: "oidc1"
    description: "Log in with your account" 
  basic.basic1:
    order: 1

I also enable trace logging on cluster settings, but I have not seen any logs. Is there a way to check the logs for this error?

@esanolad - Thanks for reaching out. Would it be possible for you to post this in the Elastic Stack channel with the tag elastic-stack-security ? I'll try and point this issue in the direction of the right team, but wanted to make sure it gets the right eyes on it. Thanks!

Hey @esanolad, welcome to the discussion boards!

Your rp.redirect_uri looks incorrect. It should read .../api/security/..., not .../app/security/...:

-  rp.redirect_uri: "https://my-domain.com:5601/app/security/oidc/callback"
+  rp.redirect_uri: "https://my-domain.com:5601/api/security/oidc/callback"

If changing this (& restarting Elasticsearch) doesn't fix your issues, then I suggest enabling debug logging for Kibana's security plugin so we can get more information about what's happening during the login flow:

# kibana.yml
logging:
  loggers:
    - name: plugins.security
      level: debug

hi @Michael_Olorunnisola, thank you for the reply. the post has the tag already. I have implemented it using saml instead of oidc.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.