OIDC with Azure not logged in on Kibana

esanolad · September 23, 2023, 9:46pm

Hi all

My company is configuring SSO using OIDC on AZURE, everything looks fine but whenever user tries to authenticate, it takes them back to the to the login page. I have checked the logs, there are no errors and there are no errors on the web interface as well.

I am suspecting role mapping issues, I have tried all the settings for role mapping but no result.

Below is my Config on elasticsearch.yml:

xpack.security.authc.realms.oidc.oidc1:
  order: 2
  rp.client_id: "057b9390-a441-44f9-9275-44600dd52a77"
  rp.response_type: code
  rp.redirect_uri: "https://my-domain.com:5601/app/security/oidc/callback"
  op.issuer: "https://login.microsoftonline.com/9be35454-2258-4efc-85fb-3da619c8bdb3/v2.0"
  op.authorization_endpoint: "https://login.microsoftonline.com/9be35454-2258-4efc-85fb-3da619c8bdb3/oauth2/v2.0/authorize"
  op.token_endpoint: "https://login.microsoftonline.com/9be35454-2258-4efc-85fb-3da619c8bdb3/oauth2/v2.0/token"
  op.jwkset_path: "https://login.microsoftonline.com/9be35454-2258-4efc-85fb-3da619c8bdb3/discovery/v2.0/keys"
  op.endsession_endpoint: "https://login.microsoftonline.com/9be35454-2258-4efc-85fb-3da619c8bdb3/oauth2/v2.0/logout"
  rp.post_logout_redirect_uri: "https://my-domain.com:5601/security/logged_out"
  claims.principal: sub

and kibana.yml:

xpack.security.authc.providers:
  oidc.oidc1:
    order: 0
    realm: "oidc1"
    description: "Log in with your account" 
  basic.basic1:
    order: 1

I also enable trace logging on cluster settings, but I have not seen any logs. Is there a way to check the logs for this error?

Michael_Olorunnisola · September 25, 2023, 6:11pm

@esanolad - Thanks for reaching out. Would it be possible for you to post this in the Elastic Stack channel with the tag elastic-stack-security ? I'll try and point this issue in the direction of the right team, but wanted to make sure it gets the right eyes on it. Thanks!

Larry_Gregory · September 26, 2023, 12:45pm

Hey @esanolad, welcome to the discussion boards!

Your rp.redirect_uri looks incorrect. It should read .../api/security/..., not .../app/security/...:

-  rp.redirect_uri: "https://my-domain.com:5601/app/security/oidc/callback"
+  rp.redirect_uri: "https://my-domain.com:5601/api/security/oidc/callback"

If changing this (& restarting Elasticsearch) doesn't fix your issues, then I suggest enabling debug logging for Kibana's security plugin so we can get more information about what's happening during the login flow:

# kibana.yml
logging:
  loggers:
    - name: plugins.security
      level: debug

esanolad · September 27, 2023, 6:40pm

hi @Michael_Olorunnisola, thank you for the reply. the post has the tag already. I have implemented it using saml instead of oidc.

system · October 25, 2023, 6:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana oidc (azure) role assignment not working (too many groups) Kibana elastic-stack-security	3	263	March 1, 2024
User needs to click 2 times for getting authenticated Azure OIDC Elasticsearch elastic-stack-security	1	155	June 28, 2023
Azure AD authentication to Kibana Elasticsearch elastic-stack-security	8	4207	June 30, 2020
OIDC role mapping not working Elasticsearch elastic-stack-security	3	276	February 19, 2024
ElasticSearch Error When Integrating with Azure AD for SSO Capabilities Elasticsearch elastic-stack-security	13	1626	April 18, 2019

OIDC with Azure not logged in on Kibana

Related Topics