Configure searchguard to work with SSO

[Omer Twito]

Hi,

I've installed Searchguard 5 with Kibana and Elasticsearch.

I'm able to authenticate with basic authentication (searchguard db).

Now I need to make it work with proxy authentication / SSO.

I installed apache with a war that redirect the request to our global logon page. Once the user is trying to reach Kibana with the following address: http://myInternalDNSName:8080/kibana, the request is redirected to our global logon page.

After I enter my SSO credentials, the requested is redirected back to Kibana but then I get a pop up prompt me to login with basic authentication. If I do so I was able to access Kibana.

It seems that the header returned to Kibana is the root cause.

Can someone help me to figure out how I need to configure it?

In addition, I ran the following curl test and the result shows an error:

curl -k -XGET 'https://127.0.0.1:9200/_searchguard/authinfo?pretty=true' -v -H "x-proxy-user: myUserName" -H "x-proxy-roles: sg_all_access" -H "x-forwarded-for: 127.0.0.1"

Result:

* About to connect() to 127.0.0.1 port 9200 (#0)
*   Trying 127.0.0.1... connected
* Connected to 127.0.0.1 (127.0.0.1) port 9200 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*  subject: CN=localhost
*  start date: Aug 09 20:51:28 2017 GMT
*  expire date: Aug 09 20:51:28 2019 GMT
*  common name: localhost
*  issuer: CN=floragunn Gmbh Signing CA,OU=floragunn Gmbh Signing CA,O=floragunn Gmbh
> GET /_searchguard/authinfo?pretty=true HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: 127.0.0.1:9200
> Accept: */*
> x-proxy-user: ot865k
> x-proxy-roles: sg_all_access
> x-forwarded-for: 127.0.0.1
>
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 317
<
{
  "user" : "User [name=ot865k, roles=[sg_all_access]]",
  "user_name" : "ot865k",
  "user_requested_tenant" : null,
  "remote_address" : "127.0.0.1",
  "sg_roles" : [
    "sg_own_index",
    "sg_public"
  ],
  "sg_tenants" : {
    "ot865k" : true
  },
  "principal" : null,
  "peer_certificates" : "0"
}
* Connection #0 to host 127.0.0.1 left intact
* Closing connection #0

Thanks,

Omer.

[SG]

> Am 22.08.2017 um 15:43 schrieb Omer Twito <twit...@gmail.com>:
>
> Hi,
> I've installed Searchguard 5 with Kibana and Elasticsearch.
> I'm able to authenticate with basic authentication (searchguard db).
> Now I need to make it work with proxy authentication / SSO.
> I installed apache with a war that redirect the request to our global logon page. Once the user is trying to reach Kibana with the following address: http://myInternalDNSName:8080/kibana, the request is redirected to our global logon page.
> After I enter my SSO credentials, the requested is redirected back to Kibana but then I get a pop up prompt me to login with basic authentication. If I do so I was able to access Kibana.

Pls. post your sg_config.yml as well as your kibana.yml

> It seems that the header returned to Kibana is the root cause.
> Can someone help me to figure out how I need to configure it?
> In addition, I ran the following curl test and the result shows an error:

"HTTP/1.1 200 OK" looks not like an error, so which error you mean?

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/16e82a55-0716-4f01-8c0b-152188c1f3da%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.