SAML Azure AD with Wazuh

[Jonathan G.]

Hello,

I'm trying to enable SSO on Wazuh using SAML and Azure AD.

I followed this documentation : https://github.com/wazuh/wazuh-documentation/issues/2981

But now, i have an error (Error 500) on https://<IP>/_opendistro/_security/saml/acs while i try to connect to Wazuh using my SSO.

Here my configuration (in /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/config.yml) :

saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        description: "SAML Azure AD Auth"
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: https://login.microsoftonline.com/......
              entity_id: https://sts.windows.net/........
            sp:
              entity_id: wazuh-saml
            kibana_url: http://<IP>:9200
            roles_key: Roles
            exchange_key: MyX509Certificate
        authentication_backend:
          type: noop

I also updated roles_mapping.yml and run securityadmin.sh for roles_mapping.yml and config.yml. It terminate with no error.

Can you help me pls ? ?

[Jonathan G.]

UPDATE:

I fixed kibana_url (i put the port -> https://<ip>:<port>)

Now i have this error : "no handler found for uri [/_opendistro/_security/saml/acs] and method [POST]"

[Franco Giovanolli]

Hi Jonathan,

Thanks for using Wazuh.

It may be related to the configuration made. Can you share the 500 error you are referring to?

Franco.

[Jonathan G.]

Hello Franco,

Thank you for your reply, I hope your doing welll. Here is a screenshot of the error :

[Franco Giovanolli]

Hi Jonathan,

Are you using version 4.3 of Wazuh? If so, please validate that the Kibana configuration is as follows:

opensearch_security.auth.type: "saml"
server.xsrf.whitelist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]

Please, let me know if this helps.

[Jose Pimentel]

i have this error

[Jose Pimentel]

{"statusCode":500,"error":"Internal Server Error","message":"Internal Error"}

[Jose Pimentel]

i do this:

[root@wazuh-server tools]# bash securityadmin.sh -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ -icl -nhnv -key /etc/etc/wazuh-indexer/certs/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem

Error:
which: no java in (/sbin:/bin:/usr/sbin:/usr/bin)
WARNING: JAVA_HOME not set, will use

[Jonathan G.]

Hi Franco, sorry for late reply

Yes i have Wazuh 4.3 (Last avaible on wazuh website)

i have this configuration in /etc/wazuh-dashboard/opensearch_dashboard.yml

i have already tryed to put this configuration in /etc/kibana/kibana.yml and restart the service, but it doesnt work

Thanks for your reply

[Jonathan G.]

Type: export JAVA_HOME=/usr/share/wazuh-indexer/jdk

But please, create your own post.

[Franco Giovanolli]

Thanks Jonathan for answering. Can you share with me the wazuh-indexer and wazuh-dashboard logs?

[Jonathan G.]

Sure, but can you tell me where i can find theses logs ? I see nothing about wazuh-indexer or wazuh-dashboard in /var/log

[Franco Giovanolli]

Of course, can you tell me what type of Wazuh deploy you have (OVA/Docker/K8s/etc..)?

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/caade02c-af29-44b7-b52b-bf7e31d3900en%40googlegroups.com.

--

Franco Giovanolli Cloud Team The Open Source Security Platform

[Jonathan G.]

Yes, Wazuh is installed on Ubuntu 22.04 LTS

[Jonathan G.]

Hey Franco, hope you fine !

I found somes log file in /var/ossec/logs/wazuh

Tell me wich logfile you want :P

Thanks

[Jonathan G.]

Hi,

I updated Wazuh to version 4.3.6-1 today and retry to config SAML SSO, now i have Error 500 =(

[Jonathan G.]

Hello,

I have redone the complete configuration with Wazuh in version 4.3.6-1. Now my dashboard give me this message "Wazuh dashboard server is not ready yet" (waiting for like 30 minutes, still not ready...).

I see this error when i use this command: systemctl status wazuh-dashboard:

opensearch-dashboards[74290]: {"type":"log","@timestamp":"2022-08-10T07:27:12Z","tags":["error","opensearch","data"],"pid":74290,"message":"[ResponseError]: Response Error"}

But, wazuh-dashboard is active.

Thanks for your help.

[Jonathan G.]

Up

[Chris Richmond]

Thanks Gilad - we will give this a try. Also have a thread started on the Wazuh Discord that has some discussion going, so hopefully we find a cause & fix.

-Chris

On Mon, Apr 24, 2023 at 3:46 AM 'Gilad Reich' via Wazuh mailing list <wa...@googlegroups.com> wrote:

@Chris Richmond pill...@gmail.com, maybe the workaround here may help bringing some insights in the meantime: https://forum.opensearch.org/t/google-workspace-aka-g-suite-enable-both-sp-and-idp-initiated-authentication-sso-with-opensearch/11651/3

You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/t-tGOx1YZB8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/eade3744-f5be-405b-b137-53a11fa3199fn%40googlegroups.com.