Free authentication integration of Kibana with OIDC and LDAP using Keykloak, Apache Reverse Proxy, and X-PACK enabled

What?

This article is a continuity of the previous article “Free authentication integration of Kibana with LDAP using Apache Reverse Proxy and X-PACK enabled” that demonstrate how to integrate freely Elastic/Kibana with an LDAP using an Apache reverse proxy, in this article, we will demonstrate how to integrate Elastic/Kibana with an OIDC like Keycloak.

Why?

Adding a complete authentication process including login, logout, and user permissions for the Elastic/Kibana stack.

When?

You have an OIDC solution or planning to have one, it's time to integrate your Elastic/kibana stack with your central authentication system.

How?

To enable OIDC authentication on Elastic, we need to upgrade our subscription from basic to at least “Platinum” to keep authentication and authorization at the same level, but this is not the objective of our article

Alternatively, we’re going to use the Apache webserver that supports OIDC based authentication and use it as a reverse proxy to Kibana, the reference Apache Module can be found here https://github.com/zmartzone/mod_auth_openidc , using this architecture present many issues that we’re going to fix some of them,

First is when you enable X-PACK and reverse proxy with OIDC, this provides two authentication forms, first, a Keycloak authentication form, and second, Elastic local users authentication form, in the other hand, disabling X-PACK do not allow authorizations management inside of Elastic stack and all Keycloak users will have the same authorization (admin), so we’re going to keep X-PACK enabled and resolve this by automating the authentication on Kibana by sending back the basic authorization authentication header to it, but also, this will break the relationship between authentication and authorization inside of Elastic stack, to resolve that, we need to flow certain user’s authorization accreditation strategy by crating users inside of Elastic with the same user ID as in Keycloak, this can be same as imported users from LDAP with Keycloak with one password for all users so we can get the authenticated user from Apache variable and add to it to the unique password, below an architecture that resume this strategy,

Below is the configuration to do :

On Elasticsearch nodes, make sure X-PACK is enabled on (elasticsearch.yml)

Generate password for Elatic stack system users if it’s done yet

Make sure Kibana can connect to Elasticsearch

On Apache reverse proxy (httpd 2.4.10)

On Keycloak (client configuration)

On Keycloak (LDAP configuration)