Log in to Elastic Stack with WSO2 Identity Server with OAuth2/OIDC
Hi guys, Hope you all are in good shape. Today I am going to present another integration story about WSO2 Identity Server. From this blog I will present how we can configure WSO2 Identity Server with Elastic Stack for login purposes. First let’s have a brief about these things.
WSO2 Identity Server is a fully open source Identity and Access Management solution which is available free on GitHub. Also WSO2 Identity Server is recognized as An Overall Leader in The KuppingerCole Leadership Compass in 2020 and also A Strong Performer in Forrester WaveTM in 2020 Q4. You can get more information from WSO2 Identity Server Official web page.
Elastic Stack is a group of open source products from Elastic designed to help users take data from any type of source and in any format and search, analyze, and visualize that data in real time
Okay, Let’s get our hands dirty.
Here I am using WSO2 Identity Server version 6.0.0 which is the latest GA release, Elasticsearch version 8.3.3 and Kibana version 8.3.3.
As the first step we need a Service Provider(SP) under WSO2 Identity Server to get the services for elastic stack. To do that start the WSO2 Identity Server and go to Identity -> Service Providers and click on Add. Now add a service provider name and click on Register. Now you will be redirected to the SP configuration page and in there, expand the Inbound Authentication Configurations and go to OAuth/OpenID Connect Configuration. In the OAuth configurations page enable the Authorization Code grant type and add the following URL regex as the Callback URI.
Please refer the following screenshot.
After updating the configurations you will get a Client Id and a Client Secret for the SP.
Now we need to configure the Claim Configuration. These claims will be shared with elastic stack based on the user’s consent.
Expand the Claim Configuration tab and configure the following claims in the SP.
- http://wso2.org/claims/emailaddress : To get the user’s email address
- http://wso2.org/claims/givenname : To get the user’s firstname in order to identify the user.
- http://wso2.org/claims/groups : To identify the user’s group details in order to provide the role based access to the functionalities in elastic stack.
- Configure the Subject Claim URI as http://wso2.org/claims/emailaddress claim.
You can refer the following screenshot.
Now click on the update button to save all the changes you have made.
Finally, we need a user for login to the elastic stack. For that first create a role by going to Identity -> Users and Roles -> Click on Add -> Add New Role. Add the Role Name as ElasticViewer. You can use a name as your preference. Now create a user by going to Identity -> Users and Roles -> Click on Add -> Add New User. Assign the created ElasticViewer role to that user. For the demonstration purposes I create a user named as Alex.
Let’s move to the elastic side to do the configurations in there.
From elastic side, they have provide a guide with the instructions to follow when Configuring SSO with OIDC. Based on that first we need to enable TLS for HTTP. If you are using this in a production we need to configure that in order to maintain the security. Since we are doing this in locally we can skip this step.
Open the elasticsearch.yml
file located in ELASTIC_HOME/config folder and add the following configurations.
All the configuration are described in OIDC Realm. In the above configurations, only the client id is there. Basically most of the secret keys are kept in the elasticsearch keystore file. You can use the following command for that.
bin/elasticsearch-keystore add xpack.security.authc.realms.oidc.oidc1.rp.client_secret
Now open the kibana.yml
file located in KIBANA_HOME/config folder and add the following configurations.
Now first start elasticsearch and then kibana. Now let’s try to login to elastic stack through kibana from the following URL.
Prior to Logi n with WSO2 Identity Server we will need to add a Role Mapping in the elastic level. For that click on Log in with Elasticsearch and add the elastic user’s credentials. Now go to Stack Management -> Role Mappings and click on Create role mapping. Add the followings to the corresponding places.
- Mapping Name : Elastic Viewer (A suitable name)
- Roles : viewer (Select from the dropdown)
- Mapping Rules : Add groups in the User filed and Value as ElasticViewer (The group name that we assigned to our user in Identity Server)
Save the role mapping. You can refer the following SS for more information about the created role mapping.
Logout from elastic user and now click on Log in with WSO2 Identity Server (OAuth2/OIDC) and you will be redirected to WSO2 Identity Server for the authentication. Log in with the credentials of the user we created previously and provide the consent for the claims. Then you will be redirected to the Home page of elastic stack like below.
You can see that the functionalities enabled for this user is less than the admin user (elastic user). You can go to the profile and see the email of the logged in user is picked for the profile.
If you need to check the capabilities you can execute a query from the dev tools and you can see that there is an unautorized response will be returned to the corresponding user. Based on this we can make sure that the access for this user is managed from the user role.
Hope this blog helped you to improve your knowledge and any use case that you have to accomplish.
Until we meet agin, AYUBOWAN…!!!
References :