OIDC with Azure not logged in on Kibana

esanolad · September 23, 2023, 9:46pm

Hi all

My company is configuring SSO using OIDC on AZURE, everything looks fine but whenever user tries to authenticate, it takes them back to the to the login page. I have checked the logs, there are no errors and there are no errors on the web interface as well.

I am suspecting role mapping issues, I have tried all the settings for role mapping but no result.

Below is my Config on elasticsearch.yml:

xpack.security.authc.realms.oidc.oidc1:
  order: 2
  rp.client_id: "057b9390-a441-44f9-9275-44600dd52a77"
  rp.response_type: code
  rp.redirect_uri: "https://my-domain.com:5601/app/security/oidc/callback"
  op.issuer: "https://login.microsoftonline.com/9be35454-2258-4efc-85fb-3da619c8bdb3/v2.0"
  op.authorization_endpoint: "https://login.microsoftonline.com/9be35454-2258-4efc-85fb-3da619c8bdb3/oauth2/v2.0/authorize"
  op.token_endpoint: "https://login.microsoftonline.com/9be35454-2258-4efc-85fb-3da619c8bdb3/oauth2/v2.0/token"
  op.jwkset_path: "https://login.microsoftonline.com/9be35454-2258-4efc-85fb-3da619c8bdb3/discovery/v2.0/keys"
  op.endsession_endpoint: "https://login.microsoftonline.com/9be35454-2258-4efc-85fb-3da619c8bdb3/oauth2/v2.0/logout"
  rp.post_logout_redirect_uri: "https://my-domain.com:5601/security/logged_out"
  claims.principal: sub

and kibana.yml:

xpack.security.authc.providers:
  oidc.oidc1:
    order: 0
    realm: "oidc1"
    description: "Log in with your account" 
  basic.basic1:
    order: 1

I also enable trace logging on cluster settings, but I have not seen any logs. Is there a way to check the logs for this error?

Michael_Olorunnisola · September 25, 2023, 6:11pm

@esanolad - Thanks for reaching out. Would it be possible for you to post this in the Elastic Stack channel with the tag elastic-stack-security ? I'll try and point this issue in the direction of the right team, but wanted to make sure it gets the right eyes on it. Thanks!

Larry_Gregory · September 26, 2023, 12:45pm

Hey @esanolad, welcome to the discussion boards!

Your rp.redirect_uri looks incorrect. It should read .../api/security/..., not .../app/security/...:

-  rp.redirect_uri: "https://my-domain.com:5601/app/security/oidc/callback"
+  rp.redirect_uri: "https://my-domain.com:5601/api/security/oidc/callback"

If changing this (& restarting Elasticsearch) doesn't fix your issues, then I suggest enabling debug logging for Kibana's security plugin so we can get more information about what's happening during the login flow:

# kibana.yml
logging:
  loggers:
    - name: plugins.security
      level: debug

esanolad · September 27, 2023, 6:40pm

hi @Michael_Olorunnisola, thank you for the reply. the post has the tag already. I have implemented it using saml instead of oidc.

system · October 25, 2023, 6:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Native azure integration with Azure AD SSO failures Kibana elastic-stack-security	4	425	September 20, 2022
Azure AD with groups in kibana and role mappings Kibana elastic-stack-security	2	326	October 4, 2022
Kibana oidc (azure) role assignment not working (too many groups) Kibana elastic-stack-security	3	269	March 1, 2024
OIDC with Elasticsearch Elasticsearch elastic-stack-security	3	2344	February 22, 2021
Azure OpenID Login doesn't work Elasticsearch elastic-stack-security	7	829	December 15, 2020

OIDC with Azure not logged in on Kibana

Related topics