wazuh okta config issue
213 views
Skip to first unread message
Todd
Apr 10, 2024, 1:15:25 PM4/10/24
to Wazuh | Mailing List
Hi wazuh team, we've recently setup wazuh with okta, all working great, only issue is within our okta "my apps" area where all of our app shortcuts are located, the link takes us to the link under step 5d which takes to an unreachable page:
https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs
if we pull up the WAZUH_DASHBOARD_URL directly all is reachable and working as expected. If we change this in okta it breaks the okta config. Do you have any recommendations on how we can fix this, so its reachable within okta myapps?
Thank you!
Diego Gustavo Oliva
Apr 11, 2024, 8:45:08 AM4/11/24
to Wazuh | Mailing List
Hello Todd,
Thanks for using Wazuh!
Let me replicate this in my lab, and will get back to you (hopefully) with a fix.
Thanks,
[Wazuh] Diego.-
[Wazuh] Diego.-
Diego Gustavo Oliva
Apr 11, 2024, 3:21:10 PM4/11/24
to Wazuh | Mailing List
Dear Todd,
Could you please verify your current configuration, and make sure you have followed all these steps?
https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/okta.html
https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/okta.html
Best regards,
[Wazuh] Diego.-Diego Gustavo Oliva
Apr 11, 2024, 4:32:05 PM4/11/24
to Wazuh | Mailing List
Todd,
From the documentation I have provided, I suspect you may be missing this part:
Other Requestable SSO URLs: click on Show Advanced Settings to access this option. Input https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs/idpinitiated and replace the <WAZUH_DASHBOARD_URL> field with the corresponding URL.
Please make sure you configure that section as well.
Regards,
[Wazuh] Diego.-
[Wazuh] Diego.-
Todd
Apr 11, 2024, 6:09:08 PM4/11/24
to Wazuh | Mailing List
Thanks, will confirm with the IT folks that manage OKTA.
Just to be clear the "my apps" okta shortcut links to our company DNS entry with the /_opendistro/_security/saml/acs :
https://wazuh.c0.company.net/_opendistro/_security/saml/acs
{"statusCode":400,"error":"Bad Request","message":"Invalid requestId"}
if we go directly to the DNS entry: https://wazuh.c0.company.net it comes up perfectly and auths correctly to OKTA.
Will update once I hear back to confirm.
thank you
Todd
Apr 11, 2024, 7:32:38 PM4/11/24
to Wazuh | Mailing List
IT has confirmed the setup looks ok following the doc, here are screenshots:
Single sign-on URL: https://wazuh.c0.ringdna.net/_opendistro/_security/saml/acs
Audience URI: wazuh-saml
Other Requestable SSO URLs: https://wazuh.c0.ringdna.net/_opendistro/_security/saml/acs/idpinitiated
Roles (Group): .*
Single sign-on URL: https://wazuh.c0.ringdna.net/_opendistro/_security/saml/acs
Audience URI: wazuh-saml
Other Requestable SSO URLs: https://wazuh.c0.ringdna.net/_opendistro/_security/saml/acs/idpinitiated
Roles (Group): .*
Diego Gustavo Oliva
Apr 16, 2024, 11:22:25 AM4/16/24
to Wazuh | Mailing List
Hello Todd,
In this case could you please share your current
/etc/wazuh-indexer/opensearch-security/config.yml file?
You are good to hide any critical information that you consider necessary.
Thanks,
[Wazuh] Diego.-
Reply all
Reply to author
Forward
0 new messages