victorrodriguez1984
commented
1 year ago Same Issue, keeping run_as : false user works but rbac have limitations
Open christophermichaelshaw opened 1 year ago
victorrodriguez1984
commented
1 year ago Same Issue, keeping run_as : false user works but rbac have limitations
maikroservice
commented
9 months ago @christophermichaelshaw did you by any chance figure this out?
christophermichaelshaw
commented
9 months ago I did, actually! It's been awhile but here's my configuration modifications, based upon reverse engineering Wazuh's documentation for implementing Okta SAML SSO -- be sure to back up any changed Wazuh config file so you can easily restore local login for troubleshooting (you will likely need it).
In Authentik: 1) Go to Admin interface > Customization > Property Mappings > Create SAML Property Mapping:
2) Go to Role > Group > Create
3) Go to Applications > Providers > Create SAML provider
4) Go to Applications > Create Application
5) Click on System > Certificates
In Wazuh:
Wazuh Indexer Configuration:
1) Edit /etc/wazuh-indexer/opensearch-security/config.yml - Reference settings below and/or follow this guide for STEP 1 ONLY; DON'T DO STEP 2 YET: https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/okta.html#wazuh-indexer-configuration
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noopsaml_auth_domain: http_enabled: true transport_enabled: false order: 1 http_authenticator: type: saml challenge: true config: idp: metadata_url: "https://[AUTHENTIK URL]/api/v3/providers/saml/12/metadata/?download" entity_id: "authentik" sp: entity_id: wazuh-saml kibana_url: https://[WAZUH URL] roles_key: Roles exchange_key: `[PASTE SIGNING CERTIFICATE HERE]' authentication_backend: type: noop'
2) Go to Wazuh menu > Security > Roles Mapping
In Wazuh CLI: /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
/etc/wazuh-indexer/opensearch-security/roles_mapping.yml
/etc/wazuh-dashboard/opensearch_dashboards.yml
3) Ensuring you have backups or documentation of changes you made run the following scripts:
export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h localhost -nhnv
and
'systemctl restart wazuh-dashboard'
Then sign into Authentik User Interface with your account, and click on your Wazah application.
Pay attention to any error messages, and it definitely helps to use a browser in Private mode/clear your browser cache. Most troubleshooting will be done via roles mapping in the webUI and/or /etc/wazuh-indexer/opensearch-security/roles_mapping.yml.
Hope this helps! Let me know if this works for you. If it does, and there are no security issues pointed out, I'll do a bit more clean-up, add screenshots then open PR's on GH for Wazuh and Authentik documentation additions.
rileyjnevins
commented
8 months ago I did, actually! It's been awhile but here's my configuration modifications, based upon reverse engineering Wazuh's documentation for implementing Okta SAML SSO -- be sure to back up any changed Wazuh config file so you can easily restore local login for troubleshooting (you will likely need it).
In Authentik:
- Go to Admin interface > Customization > Property Mappings > Create SAML Property Mapping:
- Name: custom-wazuh-rolekey
- SAML attribute name: Role
- Expression: return ak_is_group_member(request.user, name="wazuh-admins")
- Save
- Go to Role > Group > Create
- Name: wazuh-admins
- Save
- Click on wazuh-admins group name > Users tab
- Add existing users
- Go to Applications > Providers > Create SAML provider
- Type: SAML Provider
- Name: Wazuh
- Authentication flow: default-authentication-flow
- Authorization flow: default-provider-authorization-implicit-consent
- ACS URL: https://[wazuh URL]/_opendistro/_security/saml/acs
- Issuer: authentik
- Service Provider Binding: Post
- Audience: wazuh-saml
- Click Advanced protocol settings:
- Select a Signing certificate
- No Verification certificate
- Property mappings: custom-wazuh-rolekey
- NameID Property Mapping: authentik default SAML Mapping: Username (Note: This assumes you want to map according to your Authentik username; can be set to use email, but I'd stick with username).
- Assertion valid not before: minutes=-5
- Assertion valid not on or after: minutes=5
- Session valid not on or after= minutes=86400
- Dafault relay state: (blank)
- Digest algorithm: SHA256
- Signature algorithm: RSA-SHA256
- Save
- Go to Applications > Create Application
- Name: Wazuh
- Slug: wazuh
- Provider: Wazuh
- Customize icon, etc.
- Save.
- Click on System > Certificates
- Find the Signing certificate selected when you set up Wazuh provider > Download private key
- Open file with a plain-text text editor (notepad/textedit/etc) > delete the '-----BEGIN RSA PRIVATE KEY-----' header and '-----END RSA PRIVATE KEY-----' footer. Make sure there are no returns or spaces or white space
In Wazuh:
Wazuh Indexer Configuration:
- Edit /etc/wazuh-indexer/opensearch-security/config.yml - Reference settings below and/or follow this guide for STEP 1 ONLY; DON'T DO STEP 2 YET: https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/okta.html#wazuh-indexer-configuration
- Set the order in basic_internal_auth_domain to 0 and the challenge flag to false
- Go to your text editor that has
- Add the following block:
authc: kerberos_auth_domain: http_enabled: false transport_enabled: false order: 6 http_authenticator: type: kerberos challenge: true config: # If true a lot of kerberos/security related debugging output will be logged to standard out krb_debug: false # If true then the realm will be stripped from the user name strip_realm_from_principal: true authentication_backend: type: noop saml_auth_domain: http_enabled: true transport_enabled: false order: 1 http_authenticator: type: saml challenge: true config: idp: metadata_url: "https://[AUTHENTIK URL]/api/v3/providers/saml/12/metadata/?download" entity_id: "authentik" sp: entity_id: wazuh-saml kibana_url: https://[WAZUH URL] roles_key: Roles exchange_key:[PASTE SIGNING CERTIFICATE HERE]' authentication_backend: type: noop'
- Go to Wazuh menu > Security > Roles Mapping
- Create Role Mapping
- Name: sso-admin
- Roles: Administrator
- Custom Rules:
- User field: backend, FIND, wazuh-admins Optional, but recommended:
- User field: user_name, FIND, [your Authentik username]
- Save role mapping. (Note: This may only be required if run_as is enabled in /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml but better to be safe!)
In Wazuh CLI: /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
- Confirm run_as is set to false
- Confirm URL is set to your Wazuh URL via DNS or IP: https://10.0.0.100
/etc/wazuh-indexer/opensearch-security/roles_mapping.yml
Add "wazuh-admins" under backend roles: to the all access: role - `all_access: reserved: false hidden: false backend_roles:
- "admin"
- "wazuh-admins"`
- Save. (Note: I also manually specified my user account name under users, just to be sure I wouldn't lose access).
/etc/wazuh-dashboard/opensearch_dashboards.yml
- Add the following: 'opensearch_security.auth.type: "saml" server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"] opensearch_security.session.keepalive: false'
- Ensuring you have backups or documentation of changes you made run the following scripts:
export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h localhost -nhnvand 'systemctl restart wazuh-dashboard'Then sign into Authentik User Interface with your account, and click on your Wazah application.
Pay attention to any error messages, and it definitely helps to use a browser in Private mode/clear your browser cache. Most troubleshooting will be done via roles mapping in the webUI and/or /etc/wazuh-indexer/opensearch-security/roles_mapping.yml.
Hope this helps! Let me know if this works for you. If it does, and there are no security issues pointed out, I'll do a bit more clean-up, add screenshots then open PR's on GH for Wazuh and Authentik documentation additions.
I did follow your guide here and am somehow getting an invalid requestID error. Any idea what this is in reference to (given the guide)?
christophermichaelshaw
commented
8 months ago Does Authentik indicate authentication was successful? I’m guessing it does, and there’s an issue with the account or group mapping.
If so, I’d verify your SAML provider settings match Wazuh’s config files, and restart Wazuh-dashboard service. If it errors again, mind posting Wazuh logs from /var/log/wazuh/ ?
I’m out participating in some traditional post-thanksgiving consumerism but can assist in troubleshooting further if needed a bit later.
On Sun, Nov 26, 2023 at 16:46 Riley Nevins @.***> wrote:
I did, actually! It's been awhile but here's my configuration modifications, based upon reverse engineering Wazuh's documentation for implementing Okta SAML SSO -- be sure to back up any changed Wazuh config file so you can easily restore local login for troubleshooting (you will likely need it).
In Authentik:
Go to Admin interface > Customization > Property Mappings > Create SAML Property Mapping:
- Name: custom-wazuh-rolekey
- SAML attribute name: Role
- Expression: return ak_is_group_member(request.user, name="wazuh-admins")
- Save
Go to Role > Group > Create
- Name: wazuh-admins
- Save
- Click on wazuh-admins group name > Users tab
- Add existing users
Go to Applications > Providers > Create SAML provider
- Type: SAML Provider
- Name: Wazuh
- Authentication flow: default-authentication-flow
- Authorization flow: default-provider-authorization-implicit-consent
- ACS URL: https://[wazuh URL]/_opendistro/_security/saml/acs
- Issuer: authentik
- Service Provider Binding: Post
- Audience: wazuh-saml
- Click Advanced protocol settings:
- Select a Signing certificate
- No Verification certificate
- Property mappings: custom-wazuh-rolekey
- NameID Property Mapping: authentik default SAML Mapping: Username (Note: This assumes you want to map according to your Authentik username; can be set to use email, but I'd stick with username).
- Assertion valid not before: minutes=-5
- Assertion valid not on or after: minutes=5
- Session valid not on or after= minutes=86400
- Dafault relay state: (blank)
- Digest algorithm: SHA256
- Signature algorithm: RSA-SHA256
- Save
Go to Applications > Create Application
- Name: Wazuh
- Slug: wazuh
- Provider: Wazuh
- Customize icon, etc.
- Save.
Click on System > Certificates
- Find the Signing certificate selected when you set up Wazuh provider
Download private key
- Open file with a plain-text text editor (notepad/textedit/etc) > delete the '-----BEGIN RSA PRIVATE KEY-----' header and '-----END RSA PRIVATE KEY-----' footer. Make sure there are no returns or spaces or white space
In Wazuh:
Wazuh Indexer Configuration:
Edit /etc/wazuh-indexer/opensearch-security/config.yml - Reference settings below and/or follow this guide for STEP 1 ONLY; DON'T DO STEP 2 YET: https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/okta.html#wazuh-indexer-configuration
- Set the order in basic_internal_auth_domain to 0 and the challenge flag to false
- Go to your text editor that has
- Add the following block: authc: kerberos_auth_domain: http_enabled: false transport_enabled: false order: 6 http_authenticator: type: kerberos challenge: true config: # If true a lot of kerberos/security related debugging output will be logged to standard out krb_debug: false # If true then the realm will be stripped from the user name strip_realm_from_principal: true authentication_backend: type: noop saml_auth_domain: http_enabled: true transport_enabled: false order: 1 http_authenticator: type: saml challenge: true config: idp: metadata_url: "https://[AUTHENTIK URL]/api/v3/providers/saml/12/metadata/?download" entity_id: "authentik" sp: entity_id: wazuh-saml kibana_url: https://[WAZUH URL] roles_key: Roles exchange_key:[PASTE SIGNING CERTIFICATE HERE]' authentication_backend: type: noop'
Go to Wazuh menu > Security > Roles Mapping
- Create Role Mapping
- Name: sso-admin
- Roles: Administrator
- Custom Rules:
- User field: backend, FIND, wazuh-admins Optional, but recommended:
- User field: user_name, FIND, [your Authentik username]
- Save role mapping. (Note: This may only be required if run_as is enabled in /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml but better to be safe!)
In Wazuh CLI: /usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
- Confirm run_as is set to false
- Confirm URL is set to your Wazuh URL via DNS or IP: https://10.0.0.100
/etc/wazuh-indexer/opensearch-security/roles_mapping.yml
-
Add "wazuh-admins" under backend roles: to the all access: role - `all_access: reserved: false hidden: false backend_roles:
- "admin"
- "wazuh-admins"`
- Save. (Note: I also manually specified my user account name under users, just to be sure I wouldn't lose access).
/etc/wazuh-dashboard/opensearch_dashboards.yml
Add the following: 'opensearch_security.auth.type: "saml" server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"] opensearch_security.session.keepalive: false'
- Ensuring you have backups or documentation of changes you made run the following scripts:
export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h localhost -nhnv and 'systemctl restart wazuh-dashboard'
Then sign into Authentik User Interface with your account, and click on your Wazah application.
Pay attention to any error messages, and it definitely helps to use a browser in Private mode/clear your browser cache. Most troubleshooting will be done via roles mapping in the webUI and/or /etc/wazuh-indexer/opensearch-security/roles_mapping.yml.
Hope this helps! Let me know if this works for you. If it does, and there are no security issues pointed out, I'll do a bit more clean-up, add screenshots then open PR's on GH for Wazuh and Authentik documentation additions.
I did follow your guide here and am somehow getting an invalid requestID error. Any idea what this is in reference to (given the guide)?
image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/1294a144-be1b-4e85-8d51-c9a6c04533d3
— Reply to this email directly, view it on GitHub https://github.com/wazuh/wazuh/issues/16366#issuecomment-1826968785, or unsubscribe https://github.com/notifications/unsubscribe-auth/APSZUKHLD33DXPHWHMPZCDLYGPPHXAVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRWHE3DQNZYGU . You are receiving this because you were mentioned.Message ID: @.***>
rileyjnevins
commented
8 months ago If so, I’d verify your SAML provider settings match Wazuh’s config files,
We do see authorizations on Authentik's end (in green) making me think it was successful on that end of things, however, I did just restore our test VM back to a clean state prior to me adjusting authentication, I am going to try following the steps you provided again, and will report back!
rileyjnevins
commented
8 months ago Looks like there might be a mixup somewhere with syntax (perhaps we're a bit outdated)! Here is an interesting line from the wazuh-dashboard service syslog, unsure how to resolve it however:
christophermichaelshaw
commented
8 months ago Looks like an issue with the authentication headers.
Could you post a screenshot of the SAML provider? Also ensure the Service Provider Binding is POST.
Do you have Wazuh behind a proxy (NGINX)? May have to allow authentication headers to be passed to the host?
On Sun, Nov 26, 2023 at 17:57 Riley Nevins @.***> wrote:
Looks like there might be a mixup somewhere with syntax (perhaps we're a bit outdated)! Here is an interesting like from the wazuh-dashboard service syslog, unsure how to resolve it however:
image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3
— Reply to this email directly, view it on GitHub https://github.com/wazuh/wazuh/issues/16366#issuecomment-1827012720, or unsubscribe https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA . You are receiving this because you were mentioned.Message ID: @.***>
rileyjnevins
commented
8 months ago Looks like an issue with the authentication headers. Could you post a screenshot of the SAML provider? Also ensure the Service Provider Binding is POST. Do you have Wazuh behind a proxy (NGINX)? May have to allow authentication headers to be passed to the host? … On Sun, Nov 26, 2023 at 17:57 Riley Nevins @.> wrote: Looks like there might be a mixup somewhere with syntax (perhaps we're a bit outdated)! Here is an interesting like from the wazuh-dashboard service syslog, unsure how to resolve it however: image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3 — Reply to this email directly, view it on GitHub <#16366 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA . You are receiving this because you were mentioned.Message ID: @.>
Here is the SAML provider on Authentik:
Just to be safe I did edit our nginx proxy configuration to add proxy_set_header Authorization $http_authorization;.
christophermichaelshaw
commented
8 months ago Try unselecting all of the property mappings in the SAML provider. Might help determine if the issue is with headers or not.
On Sun, Nov 26, 2023 at 18:31 Riley Nevins @.***> wrote:
Looks like an issue with the authentication headers. Could you post a screenshot of the SAML provider? Also ensure the Service Provider Binding is POST. Do you have Wazuh behind a proxy (NGINX)? May have to allow authentication headers to be passed to the host? … <#m-3894006129319045839> On Sun, Nov 26, 2023 at 17:57 Riley Nevins @.> wrote: Looks like there might be a mixup somewhere with syntax (perhaps we're a bit outdated)! Here is an interesting like from the wazuh-dashboard service syslog, unsure how to resolve it however: image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3 https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3 — Reply to this email directly, view it on GitHub <#16366 (comment) https://github.com/wazuh/wazuh/issues/16366#issuecomment-1827012720>, or unsubscribe https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA . You are receiving this because you were mentioned.Message ID: @.>
Here is the SAML provider on Authentik: image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/99fa0498-375d-435e-8e35-0991df415578 image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/012aa954-14b4-4f3f-a9d1-c6bf75b2c344 image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/24cb9c38-1945-4df4-a626-dd12d4cb5db6
Just to be safe I did edit our nginx proxy configuration to add proxy_set_header Authorization $http_authorization;.
— Reply to this email directly, view it on GitHub https://github.com/wazuh/wazuh/issues/16366#issuecomment-1827033594, or unsubscribe https://github.com/notifications/unsubscribe-auth/APSZUKAYGPVTEZFC5KVGBJLYGP3O3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAZTGNJZGQ . You are receiving this because you were mentioned.Message ID: @.***>
rileyjnevins
commented
8 months ago Try unselecting all of the property mappings in the SAML provider. Might help determine if the issue is with headers or not. … On Sun, Nov 26, 2023 at 18:31 Riley Nevins @.> wrote: Looks like an issue with the authentication headers. Could you post a screenshot of the SAML provider? Also ensure the Service Provider Binding is POST. Do you have Wazuh behind a proxy (NGINX)? May have to allow authentication headers to be passed to the host? … <#m-3894006129319045839> On Sun, Nov 26, 2023 at 17:57 Riley Nevins @.> wrote: Looks like there might be a mixup somewhere with syntax (perhaps we're a bit outdated)! Here is an interesting like from the wazuh-dashboard service syslog, unsure how to resolve it however: image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3 https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3 — Reply to this email directly, view it on GitHub <#16366 (comment) <#16366 (comment)>>, or unsubscribe https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA . You are receiving this because you were mentioned.Message ID: @.> Here is the SAML provider on Authentik: image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/99fa0498-375d-435e-8e35-0991df415578 image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/012aa954-14b4-4f3f-a9d1-c6bf75b2c344 image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/24cb9c38-1945-4df4-a626-dd12d4cb5db6 Just to be safe I did edit our nginx proxy configuration to add proxy_set_header Authorization $http_authorization;. — Reply to this email directly, view it on GitHub <#16366 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/APSZUKAYGPVTEZFC5KVGBJLYGP3O3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAZTGNJZGQ . You are receiving this because you were mentioned.Message ID: @.>
Seems to show the error {"statusCode":400,"error":"Bad Request","message":"Request must contain a osd-xsrf header."} with no useful mappings selected (it didn't let me pick none so I opted for UPN as a demo). Same result with picking any combination currently.
christophermichaelshaw
commented
8 months ago Apologies for the delay -- had to clear off some space on my Wazuh instance due to cron jobs not clearing log files. D'oh!
Thanks for being so thorough in your testing - this step tells us your authentication headers are being passed as expected (theoretically).
So in looking a bit deeper into the issue, the fact that your browser isn't being redirected from https://[wazuh URL]/_opendistro/_security/saml/acs to https://[wazuh URL]/app/wazuh likely indicates an issue with the settings in the /etc/wazuh-indexer/opensearch-security/config.yml (specifically the SSL certificate hash is where I would look), or the /etc/wazuh-dashboard/opensearch_dashboards.yml.
Feel free to post sanitized versions of the modifications/additions in both files -- be sure not to reveal any confidential information. I would check to ensure the SSL hash does not contain any carriage returns or spaces, as the hash checking is quite strict.
My Wazuh instance is working on a shard migration job at the moment, but if you're still having issues after checking the SSL certificate hash and settings in the files, I'll try to recreate the issue when the migration job is completed.
On Sun, Nov 26, 2023 at 6:56 PM Riley Nevins @.***> wrote:
Try unselecting all of the property mappings in the SAML provider. Might help determine if the issue is with headers or not. … <#m1550492064041555253> On Sun, Nov 26, 2023 at 18:31 Riley Nevins @.*> wrote: Looks like an issue with the authentication headers. Could you post a screenshot of the SAML provider? Also ensure the Service Provider Binding is POST. Do you have Wazuh behind a proxy (NGINX)? May have to allow authentication headers to be passed to the host? … <#m-3894006129319045839> On Sun, Nov 26, 2023 at 17:57 Riley Nevins @.> wrote: Looks like there might be a mixup somewhere with syntax (perhaps we're a bit outdated)! Here is an interesting like from the wazuh-dashboard service syslog, unsure how to resolve it however: image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3 https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3 https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3 https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3 — Reply to this email directly, view it on GitHub <#16366 https://github.com/wazuh/wazuh/issues/16366 (comment) <#16366 (comment) https://github.com/wazuh/wazuh/issues/16366#issuecomment-1827012720>>, or unsubscribe https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA . You are receiving this because you were mentioned.Message ID: @.> Here is the SAML provider on Authentik: image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/99fa0498-375d-435e-8e35-0991df415578 https://github.com/wazuh/wazuh/assets/64431703/99fa0498-375d-435e-8e35-0991df415578 image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/012aa954-14b4-4f3f-a9d1-c6bf75b2c344 https://github.com/wazuh/wazuh/assets/64431703/012aa954-14b4-4f3f-a9d1-c6bf75b2c344 image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/24cb9c38-1945-4df4-a626-dd12d4cb5db6 https://github.com/wazuh/wazuh/assets/64431703/24cb9c38-1945-4df4-a626-dd12d4cb5db6 Just to be safe I did edit our nginx proxy configuration to add proxy_set_header Authorization $http_authorization;. — Reply to this email directly, view it on GitHub <#16366 (comment) https://github.com/wazuh/wazuh/issues/16366#issuecomment-1827033594>, or unsubscribe https://github.com/notifications/unsubscribe-auth/APSZUKAYGPVTEZFC5KVGBJLYGP3O3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAZTGNJZGQ https://github.com/notifications/unsubscribe-auth/APSZUKAYGPVTEZFC5KVGBJLYGP3O3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAZTGNJZGQ . You are receiving this because you were mentioned.Message ID: @.***>
Seems to show the error {"statusCode":400,"error":"Bad Request","message":"Request must contain a osd-xsrf header."} with no useful mappings selected (it didn't let me pick none so I opted for UNP as a demo). Same result with picking any combination currently.
— Reply to this email directly, view it on GitHub https://github.com/wazuh/wazuh/issues/16366#issuecomment-1827048662, or unsubscribe https://github.com/notifications/unsubscribe-auth/APSZUKBESFB6IGVPHECCFMTYGP6PTAVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGA2DQNRWGI . You are receiving this because you were mentioned.Message ID: @.***>
Christopher Shaw @.*** 425.435.8440
rileyjnevins
commented
8 months ago Apologies for the delay -- had to clear off some space on my Wazuh instance due to cron jobs not clearing log files. D'oh! Thanks for being so thorough in your testing - this step tells us your authentication headers are being passed as expected (theoretically). So in looking a bit deeper into the issue, the fact that your browser isn't being redirected from https://[wazuh URL]/_opendistro/_security/saml/acs to https://[wazuh URL]/app/wazuh likely indicates an issue with the settings in the /etc/wazuh-indexer/opensearch-security/config.yml (specifically the SSL certificate hash is where I would look), or the /etc/wazuh-dashboard/opensearch_dashboards.yml. Feel free to post sanitized versions of the modifications/additions in both files -- be sure not to reveal any confidential information. I would check to ensure the SSL hash does not contain any carriage returns or spaces, as the hash checking is quite strict. My Wazuh instance is working on a shard migration job at the moment, but if you're still having issues after checking the SSL certificate hash and settings in the files, I'll try to recreate the issue when the migration job is completed. On Sun, Nov 26, 2023 at 6:56 PM Riley Nevins @.> wrote: … Try unselecting all of the property mappings in the SAML provider. Might help determine if the issue is with headers or not. … <#m1550492064041555253> On Sun, Nov 26, 2023 at 18:31 Riley Nevins @.> wrote: Looks like an issue with the authentication headers. Could you post a screenshot of the SAML provider? Also ensure the Service Provider Binding is POST. Do you have Wazuh behind a proxy (NGINX)? May have to allow authentication headers to be passed to the host? … <#m-3894006129319045839> On Sun, Nov 26, 2023 at 17:57 Riley Nevins @.> wrote: Looks like there might be a mixup somewhere with syntax (perhaps we're a bit outdated)! Here is an interesting like from the wazuh-dashboard service syslog, unsure how to resolve it however: image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3 https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3 https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3 https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3 — Reply to this email directly, view it on GitHub <#16366 <#16366> (comment) <#16366 (comment) <#16366 (comment)>>>, or unsubscribe https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA . You are receiving this because you were mentioned.Message ID: @.> Here is the SAML provider on Authentik: image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/99fa0498-375d-435e-8e35-0991df415578 https://github.com/wazuh/wazuh/assets/64431703/99fa0498-375d-435e-8e35-0991df415578 image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/012aa954-14b4-4f3f-a9d1-c6bf75b2c344 https://github.com/wazuh/wazuh/assets/64431703/012aa954-14b4-4f3f-a9d1-c6bf75b2c344 image.png (view on web) https://github.com/wazuh/wazuh/assets/64431703/24cb9c38-1945-4df4-a626-dd12d4cb5db6 https://github.com/wazuh/wazuh/assets/64431703/24cb9c38-1945-4df4-a626-dd12d4cb5db6 Just to be safe I did edit our nginx proxy configuration to add proxy_set_header Authorization $http_authorization;. — Reply to this email directly, view it on GitHub <#16366 (comment) <#16366 (comment)>>, or unsubscribe https://github.com/notifications/unsubscribe-auth/APSZUKAYGPVTEZFC5KVGBJLYGP3O3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAZTGNJZGQ https://github.com/notifications/unsubscribe-auth/APSZUKAYGPVTEZFC5KVGBJLYGP3O3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAZTGNJZGQ . You are receiving this because you were mentioned.Message ID: @.**> Seems to show the error {"statusCode":400,"error":"Bad Request","message":"Request must contain a osd-xsrf header."} with no useful mappings selected (it didn't let me pick none so I opted for UNP as a demo). Same result with picking any combination currently. — Reply to this email directly, view it on GitHub <#16366 (comment)>, or unsubscribe https://github.com/notifications/unsubscribe-auth/APSZUKBESFB6IGVPHECCFMTYGP6PTAVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGA2DQNRWGI . You are receiving this because you were mentioned.Message ID: @.> -- -- Christopher Shaw @.*** 425.435.8440
Hey there, no problem at all! Ended up hopping off for the night shortly after I saw your reply.
One thing I am a little confused on is the certificate- we haven't used a hashed version of the signing certificate's private key (and instead, just pasted in the contents of the entire private key as seen below (but removed all blank spacing and new lines, plus the header and footer).
I should note we're also back to this error on the web-browser end (configs above are in-use):
danf22
commented
2 months ago Same issue Using Okta.
balmha
commented
1 week ago Same issue with Jumpcloud. Access trough the Wazuh Dashboard URL works fine, but accessing from the Jumpcloud app icon doesn't work --> https://-Wazuh Dashboard URL-/_opendistro/_security/saml/acs
I've configured SAML authentication integration with Authentik using the guides in the configuration manual here. When I log in using SAML, I see that the SAML account is granted admin permissions but not access to manage security settings, nor access to access to agents/data I configured using the local admin user.
I know that I'm very close to having this working, so if anyone could point me in the right direction, I will confirm and create documentation for Authentik SAML to be added to the installation guide -- hopefully this benefits us all! Thanks in advance!
Log entries:
/usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log
/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/config.yml '> saml_auth_domain:
/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/roles_mapping.yml
/etc/wazuh-dashboard/opensearch_dashboards.yml
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
Authentik Settings Applicable SAML metadata (certificate redacted):
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://authentik.[redacted]/application/saml/wazuh/slo/binding/redirect/"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://authentik.[redacted]/application/saml/wazuh/slo/binding/post/"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://authentik.[redacted]/application/saml/wazuh/sso/binding/redirect/"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://authentik.[redacted]/application/saml/wazuh/sso/binding/post/"/></md:IDPSSODescriptor></md:EntityDescriptor>