SAML Azure AD with Wazuh

1,619 views
Skip to first unread message

Jonathan G.

unread,
Jul 12, 2022, 10:13:09 AM7/12/22
to Wazuh mailing list
Hello,

I'm trying to enable SSO on Wazuh using SAML and Azure AD.

But now, i have an error (Error 500) on https://<IP>/_opendistro/_security/saml/acs while i try to connect to Wazuh using my SSO.

Here my configuration (in /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/config.yml) :

saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        description: "SAML Azure AD Auth"
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: https://login.microsoftonline.com/......
              entity_id: https://sts.windows.net/........
            sp:
              entity_id: wazuh-saml
            kibana_url: http://<IP>:9200
            roles_key: Roles
            exchange_key: MyX509Certificate
        authentication_backend:
          type: noop

I also updated roles_mapping.yml and run securityadmin.sh for roles_mapping.yml and config.yml. It terminate with no error.

Can you help me pls ? ?

Jonathan G.

unread,
Jul 12, 2022, 11:24:15 AM7/12/22
to Wazuh mailing list
UPDATE:

I fixed kibana_url (i put the port -> https://<ip>:<port>)

Now i have this error : "no handler found for uri [/_opendistro/_security/saml/acs] and method [POST]"

Franco Giovanolli

unread,
Jul 12, 2022, 11:24:42 AM7/12/22
to Wazuh mailing list
Hi Jonathan,
Thanks for using Wazuh.

It may be related to the configuration made. Can you share the 500 error you are referring to?

Franco.

Jonathan G.

unread,
Jul 13, 2022, 2:29:34 AM7/13/22
to Wazuh mailing list
Hello Franco,

Thank you for your reply, I hope your doing welll. Here is a screenshot of the error :
capture.png

Franco Giovanolli

unread,
Jul 14, 2022, 11:57:19 PM7/14/22
to Wazuh mailing list
Hi Jonathan,

Are you using version 4.3 of Wazuh? If so, please validate that the Kibana configuration is as follows:

opensearch_security.auth.type: "saml"
server.xsrf.whitelist: ["/_plugins/_security/saml/acs", "/_plugins/_security/saml/logout", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]

Please, let me know if this helps.

Jose Pimentel

unread,
Jul 15, 2022, 10:18:23 AM7/15/22
to Wazuh mailing list
i have this error

Jose Pimentel

unread,
Jul 15, 2022, 10:18:57 AM7/15/22
to Wazuh mailing list
{"statusCode":500,"error":"Internal Server Error","message":"Internal Error"}

Jose Pimentel

unread,
Jul 15, 2022, 12:20:17 PM7/15/22
to Wazuh mailing list
i do this:
[root@wazuh-server tools]# bash securityadmin.sh -cd /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/ -icl -nhnv -key /etc/etc/wazuh-indexer/certs/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem
Error:
which: no java in (/sbin:/bin:/usr/sbin:/usr/bin)
WARNING: JAVA_HOME not set, will use

Jonathan G.

unread,
Jul 18, 2022, 3:47:52 AM7/18/22
to Wazuh mailing list
Hi Franco, sorry for late reply

Yes i have Wazuh 4.3 (Last avaible on wazuh website)

i have this configuration in /etc/wazuh-dashboard/opensearch_dashboard.yml
i have already tryed to put this configuration in /etc/kibana/kibana.yml and restart the service, but it doesnt work

Thanks for your reply

Jonathan G.

unread,
Jul 18, 2022, 3:56:33 AM7/18/22
to Wazuh mailing list
Type: export JAVA_HOME=/usr/share/wazuh-indexer/jdk

But please, create your own post.

Franco Giovanolli

unread,
Jul 18, 2022, 5:47:57 AM7/18/22
to Wazuh mailing list
Thanks Jonathan for answering. Can you share with me the wazuh-indexer and wazuh-dashboard logs?

Jonathan G.

unread,
Jul 18, 2022, 6:21:57 AM7/18/22
to Wazuh mailing list
Sure, but can you tell me where i can find theses logs ? I see nothing about wazuh-indexer or wazuh-dashboard in /var/log

Franco Giovanolli

unread,
Jul 18, 2022, 6:42:04 AM7/18/22
to Jonathan G., Wazuh mailing list
Of course, can you tell me what type of Wazuh deploy you have (OVA/Docker/K8s/etc..)?

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/caade02c-af29-44b7-b52b-bf7e31d3900en%40googlegroups.com.


--



Franco Giovanolli

Cloud Team
WazuhThe Open Source Security Platform

Jonathan G.

unread,
Jul 18, 2022, 7:38:23 AM7/18/22
to Wazuh mailing list
Yes, Wazuh is installed on Ubuntu 22.04 LTS

Jonathan G.

unread,
Jul 25, 2022, 10:28:38 AM7/25/22
to Wazuh mailing list
Hey Franco, hope you fine !

I found somes log file in /var/ossec/logs/wazuh
Tell me wich logfile you want :P

Thanks

Jonathan G.

unread,
Jul 28, 2022, 3:14:48 AM7/28/22
to Wazuh mailing list
Hi,

I updated Wazuh to version 4.3.6-1 today and retry to config SAML SSO, now i have Error 500 =(

Jonathan G.

unread,
Aug 10, 2022, 3:49:12 AM8/10/22
to Wazuh mailing list
Hello,

I have redone the complete configuration with Wazuh in version 4.3.6-1. Now my dashboard give me this message "Wazuh dashboard server is not ready yet" (waiting for like 30 minutes, still not ready...).
I see this error when i use this command: systemctl status wazuh-dashboard:

opensearch-dashboards[74290]: {"type":"log","@timestamp":"2022-08-10T07:27:12Z","tags":["error","opensearch","data"],"pid":74290,"message":"[ResponseError]: Response Error"}

But, wazuh-dashboard is active.

Thanks for your help.

Jonathan G.

unread,
Aug 24, 2022, 4:09:17 AM8/24/22
to Wazuh mailing list
Up
Message has been deleted
Message has been deleted
Message has been deleted

Chris Richmond

unread,
Apr 25, 2023, 3:44:07 PM4/25/23
to Gilad Reich, Wazuh mailing list
Thanks Gilad - we will give this a try. Also have a thread started on the Wazuh Discord that has some discussion going, so hopefully we find a cause & fix.
-Chris

On Mon, Apr 24, 2023 at 3:46 AM 'Gilad Reich' via Wazuh mailing list <wa...@googlegroups.com> wrote:
@Chris Richmond pill...@gmail.com, maybe the workaround here may help bringing some insights in the meantime: https://forum.opensearch.org/t/google-workspace-aka-g-suite-enable-both-sp-and-idp-initiated-authentication-sso-with-opensearch/11651/3
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/t-tGOx1YZB8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/eade3744-f5be-405b-b137-53a11fa3199fn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages