Table of Contents
This blog explains how to integrate Azure AD OIDC with Elasticsearch and Kibana, enabling secure authentication and access control. This integration streamlines the user experience, enhances security, and simplifies access to multiple applications through single sign-on.
Key Highlights
- OIDC Protocol: Explains secure user authentication using OIDC.
- Azure AD Integration: Integrating Azure AD OIDC with Elasticsearch and Kibana for streamlined access and improved security.
- Benefits: The benefits include single sign-on, enhanced security, and simplified access to multiple apps.
- What is OIDC Protocol in Authentication Fundamentals?
- Why use it?
- How to integrate Azure AD OIDC with Elasticsearch and Kibana
- Conclusion
What is OIDC Protocol in Authentication Fundamentals?
In a traditional authentication system, users need to provide an email or username and password to access web applications. However, in organizations with multiple different applications, users are required to use the same credentials every time they access various applications.
In today’s world, organizations are enhancing the security of user credentials by adopting the OIDC protocol. OIDC, which stands for OpenID Connect, is an authentication protocol built on top of the OAuth 2.0 framework. It provides a reliable and secure way for applications to verify the identity of end-users based on the authentication performed by an authorization server. OIDC is specifically designed to enable secure and reliable authentication for both web and mobile applications.
Why use it?
OIDC enables users to authenticate once and then access multiple applications without repeatedly providing their credentials. This streamlines the user experience and eliminates the need for separate login processes for each application.
Below is a list of OIDC providers:
- Azure
- Okta
Note: In the market, there are many more OIDC providers. However, Elasticsearch only supports these OIDC providers
How to integrate Azure AD OIDC with Elasticsearch and Kibana
To access Kibana users are required to use a username and password. This authentication method is referred to as the Native Realm. Instead of using a username and password, we can assign a one-time single token to them by utilizing a token, allowing them access to the Kibana web application. Below are the steps to configure OIDC in Elasticsearch and Kibana. This OIDC realm is available in the Platinum version. If you require a license or support, please contact us.
- You need to register your application name in the Azure Portal. If you are unsure about how to register your application, please contact the Azure Team, and they will assist you in registering your application name. Please refer to the screenshot below
- Create client Id and secret
Note: If you don’t know how to register or create IDs and a secret, let the Azure team do this for you. You just need to provide the application name, Kibana’s endpoints, and client documentation, i.e., Elasticsearch’s OIDC Documentation. The Azure team will share your client ID, secret, and endpoints for configuring the OIDC realm in Elasticsearch via email
- Open your Elasticsearch server and add the client secret in the Elasticsearch keystore and enter the valuebin/elasticserarch-keystore add xpack.security.authc.realms.oidc.oidc1.rp.client_secretNote: OIDC1 is the realm name that you will use in the elasticsearch.yml file. You can set this name to any, but you need to remember this realm name when using it in the elasticsearch.yml file and adding it to the keystore.
- Configure Elasticsearch with the OIDC realm.
To learn more about the available endpoints provided by Microsoft Azure, refer to the Endpoint details in the application that you or the Azure Team has configured. Please see the screenshot below.To configure OIDC in Elasticsearch. Edit the elasticsearch.yml file as mentioned below
Note: Elasticsearch needs to communicate with Azure AD OIDC endpoints. Make sure that the communication is there b/w elasticsearch and Azure AD. You can uncomment http.proxy settings as mentioned in the above screenshot if your organization has restricted the inbound and outbound traffic for login.microsoftonline.com FQDN.
- Restart the elasticsearch service and check the logs
- Open Kibana > Dev Tools and run the below query
- Update kibana.yml file for OIDC realm.
- Restart the Kibana service and navigate to the Kibana endpoint in Chrome. As shown in the screenshot, ‘Login with Azure’ is displayed.
Conclusion
By integrating Azure AD OIDC in Elasticsearch and Kibana, organizations can leverage the power of Azure AD for secure authentication and access control. This integration enhances the overall security posture and simplifies the user experience, enabling organizations to focus on their core analytics and logging tasks. With the step-by-step instructions in this blog post, you can easily configure Azure AD OIDC in Elasticsearch and Kibana and start reaping the benefits of this powerful integration.
We at Ashnik can assist you in harnessing the full potential of Azure AD OIDC integration in Elasticsearch and Kibana. Connect with our experts to leverage their expertise in securing authentication, access control, and enhancing overall security posture while simplifying the user experience.
For further information regarding our services, please visit our dedicated services page on Elasticsearch and Kibana, Should you have any queries or require additional assistance, please do not hesitate to reach out to us at success@ashnik.com.