Dashboard OpenID support

[victorrodriguez1984]

Version: tested on 4.3.9 and 4.3.10

Issue: OpenID config based in Opensearch documentation does not work https://opensearch.org/docs/latest/security-plugin/configuration/openid-connect/ https://www.linkedin.com/pulse/integrate-opensearch-azure-active-directory-dimitris-p-/

"Too many redirects" wazuh redirect to OIDC but loops starting again

I tested with LoadBalancer, internally with proxy and without proxy...here dashboard logs...

{"type":"log","@timestamp":"2023-01-05T10:06:44Z","tags":["error","plugins","securityDashboards"],"pid":40,"message":"OpenId authentication failed: Error: Authentication Exception"}

{"type":"response","@timestamp":"2023-01-05T10:06:44Z","tags":[],"pid":40,"method":"get","statusCode":302,"req":{"url":"/auth/openid/login?state=u_tFN50YBxPo9GgY7N_y-m&session_state=b757e8ff-044f-486f-a640-0f076863322f&code=8378672d-be68-4dbb-a667-f2f8c0c4d712.b757e8ff-044f-486f-a640-0f076863322f.198fe1f9-9024-4abd-acc0-c347679e97a2","method":"get","headers":{"host":"wazuh.domain","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","accept-encoding":"gzip","accept-language":"en-US,en;q=0.9","cache-control":"max-age=0","cdn-loop":"cloudflare","cf-connecting-ip":"149.36.196.128","cf-ipcountry":"ES","cf-ray":"784b67284e653670-MAD","cf-visitor":"{\"scheme\":\"https\"}","sec-ch-ua":"\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"same-site","upgrade-insecure-requests":"1","x-forwarded-for":"10.144.219.179","x-forwarded-host":"wazuh.domain","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-server":"x-traefik-ext-645d77dd4c-zl57n","x-real-ip":"10.144.219.179"},"remoteAddress":"172.30.234.146","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"},"res":{"statusCode":302,"responseTime":68,"contentLength":9},"message":"GET /auth/openid/login?state=u_tFN50YBxPo9GgY7N_y-m&session_state=b757e8ff-044f-486f-a640-0f076863322f&code=8378672d-be68-4dbb-a667-f2f8c0c4d712.b757e8ff-044f-486f-a640-0f076863322f.198fe1f9-9024-4abd-acc0-c347679e97a2 302 68ms - 9.0B"}

{"type":"response","@timestamp":"2023-01-05T10:06:44Z","tags":[],"pid":40,"method":"get","statusCode":302,"req":{"url":"/auth/openid/login","method":"get","headers":{"host":"wazuh.domain","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","accept-encoding":"gzip","accept-language":"en-US,en;q=0.9","cache-control":"max-age=0","cdn-loop":"cloudflare","cf-connecting-ip":"149.36.196.128","cf-ipcountry":"ES","cf-ray":"784b67294ffc3670-MAD","cf-visitor":"{\"scheme\":\"https\"}","sec-ch-ua":"\"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"108\", \"Google Chrome\";v=\"108\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"Windows\"","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"same-site","upgrade-insecure-requests":"1","x-forwarded-for":"10.144.219.179","x-forwarded-host":"wazuh.domain","x-forwarded-port":"443","x-forwarded-proto":"https","x-forwarded-server":"traefik-ext-645d77dd4c-zl57n","x-real-ip":"10.144.219.179"},"remoteAddress":"172.30.234.146","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"},"res":{"statusCode":302,"responseTime":5,"contentLength":9},"message":"GET /auth/openid/login 302 5ms - 9.0B"}

Configuration:

server.host: 0.0.0.0
server.port: 5601
opensearch.hosts: https://indexer:9200
opensearch.ssl.verificationMode: none
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/usr/share/wazuh-dashboard/config/certs/key.pem"
server.ssl.certificate: "/usr/share/wazuh-dashboard/config/certs/cert.pem"
opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/config/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wazuh
opensearch_security.auth.type: "openid"
opensearch_security.openid.connect_url: "https://keycloakurl/auth/realms/realm/.well-known/openid-configuration"
opensearch_security.openid.client_id: "client-siem"
opensearch_security.openid.client_secret: "clientpasword"
opensearch.username: "kibanaserver"
opensearch.password: "kibanaserver"
opensearch_security.openid.base_redirect_url: https://siemurl

Mount config.yaml as configmap does not overwrite order, they keep sticky of Wazuh Management

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: config-index
  namespace: wazuh
data:
  config.yml: |-
    _meta:
      type: "config"
      config_version: 2

    config:
      dynamic:
        # Set filtered_alias_mode to 'disallow' to forbid more than 2 filtered aliases per index
        # Set filtered_alias_mode to 'warn' to allow more than 2 filtered aliases per index but warns about it (default)
        # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently
        #filtered_alias_mode: warn
        #do_not_fail_on_forbidden: false
        #kibana:
        # Kibana multitenancy
        #multitenancy_enabled: true
        #server_username: kibanaserver
        #index: '.kibana'
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: false
            internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
            #internalProxies: '.*' # trust all internal proxies, regex pattern
            #remoteIpHeader:  'x-forwarded-for'
            ###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
            ###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
            ###### and here https://tools.ietf.org/html/rfc7239
            ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
        authc:
          kerberos_auth_domain:
            http_enabled: false
            transport_enabled: false
            order: 6
            http_authenticator:
              type: kerberos
              challenge: true
              config:
                # If true a lot of kerberos/security related debugging output will be logged to standard out
                krb_debug: false
                # If true then the realm will be stripped from the user name
                strip_realm_from_principal: true
            authentication_backend:
              type: noop
          basic_internal_auth_domain:
            description: "Authenticate via HTTP Basic against internal users database"
            http_enabled: true
            transport_enabled: true
            order: 1
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              type: internal
          openid_auth_domain:
            description: "Authenticate keycloak openid"
            http_enabled: true
            transport_enabled: true
            order: 0
            http_authenticator:
              type: openid
              challenge: true
              config:
                subject_key: preferred_username
                roles_key: kibana_server
                openid_connect_url: "https://keycloakurl/auth/realms/ibm/.well-known/openid-configuration"
            authentication_backend:

Tested: Opensearch Doc for OpenID support overwritting config.yaml does not overwrite orders Reviw wazuh slack channels with some topics related

[andraspavelbaystream]

Hello,

Does anybody have any news on this?

Thanks, Andras

[rucciva]

hi @andraspavelbaystream , i got mine working with this

      type: "config"
      config_version: 2

    config:
      dynamic:
        http:
          anonymous_auth_enabled: false
          xff:
            enabled: false
            internalProxies: '10\.\d{1-3}\.\d{1-3}\.\d{1-3}' # regex pattern
        authc:
          basic_internal_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 0
            http_authenticator:
              type: basic
              challenge: false
            authentication_backend:
              type: internal
          openid_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 1
            http_authenticator:
              type: openid
              challenge: false
              config:
                subject_key: preferred_username
                roles_key: roles
                openid_connect_url: <redacted>
            authentication_backend:
              type: noop

[landon-lengyel]

This might be more of a documentation issue than a Wazuh issue... I was able to get mine working with the following and EntraID as my IDP: The below config gets Wazuh dashboard fully supporting both basic auth, and OpenID Connect.

config.yml

_meta:
  type: "config"
  config_version: 2

config:
  dynamic:
    http:
      anonymous_auth_enabled: false
      xff:
        enabled: false
    authc:
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: {App Registrations > Overview > Endpoints > OpenID Connect metadata document}
            openid_connect_idp:
              enable_ssl: true
              verify_hostnames: true
              #pemtrustedcas_filepath: /etc/opensearch/opensearch-security/DigiCertGlobalRootCA.crt.pem
              pemtrustedcas_content: |-
                -----BEGIN CERTIFICATE-----
               {Certificate}
                -----END CERTIFICATE-----
        authentication_backend:
          type: noop
{Other methods}
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 3
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal

opensearch_dashboards.yml

server.host: 0.0.0.0
opensearch.hosts: https://127.0.0.1:9200
server.port: 443
# opensearch.username: kibanaserver
# opensearch.password: kibanaserver
uiSettings.overrides.defaultRoute: /app/wz-home

# Security settings
opensearch_security.cookie.secure: true
opensearch.requestHeadersAllowlist: ["securitytenant","Authorization"]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]

# TLS communication from Dashboards to cluster
opensearch.ssl.verificationMode: certificate
opensearch.ssl.certificateAuthorities: ["/etc/wazuh-dashboard/certs/root-ca.pem"]

# TLS communication from clients to Dashboards
server.ssl.enabled: true
server.ssl.key: "/etc/wazuh-dashboard/certs/wazuh.key"
server.ssl.certificate: "/etc/wazuh-dashboard/certs/wazuh.crt"
server.ssl.certificateAuthorities: "/etc/wazuh-dashboard/certs/combined-ca.pem"

## OpenID Authentication (SSO)
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: ["openid","basicauth"]
opensearch_security.openid.base_redirect_url: "{Wazuh URL}"
opensearch_security.openid.connect_url: "{App Registrations > Overview > Endpoints > OpenID Connect metadata document}"
opensearch_security.openid.client_id: "{App Registrations > Overview > Application (client) ID}"
opensearch_security.openid.client_secret: "{App Registrations > Certificates & secrets > Value}"
opensearch_security.openid.root_ca: "/etc/wazuh-dashboard/certsDigiCertGlobalRootCA.crt.pem"