SAML Authentication Permission Issues (Authentik) #16366
Comments
|
Same Issue, keeping run_as : false user works but rbac have limitations |
|
@christophermichaelshaw did you by any chance figure this out? |
|
I did, actually! It's been awhile but here's my configuration modifications, based upon reverse engineering Wazuh's documentation for implementing Okta SAML SSO -- be sure to back up any changed Wazuh config file so you can easily restore local login for troubleshooting (you will likely need it). In Authentik:
In Wazuh: Wazuh Indexer Configuration:
In Wazuh CLI:
/etc/wazuh-indexer/opensearch-security/roles_mapping.yml
/etc/wazuh-dashboard/opensearch_dashboards.yml
Then sign into Authentik User Interface with your account, and click on your Wazah application. Pay attention to any error messages, and it definitely helps to use a browser in Private mode/clear your browser cache. Most troubleshooting will be done via roles mapping in the webUI and/or /etc/wazuh-indexer/opensearch-security/roles_mapping.yml. Hope this helps! Let me know if this works for you. If it does, and there are no security issues pointed out, I'll do a bit more clean-up, add screenshots then open PR's on GH for Wazuh and Authentik documentation additions. |
I did follow your guide here and am somehow getting an invalid requestID error. Any idea what this is in reference to (given the guide)?
|
|
Does Authentik indicate authentication was successful? I’m guessing it
does, and there’s an issue with the account or group mapping.
If so, I’d verify your SAML provider settings match Wazuh’s config files,
and restart Wazuh-dashboard service. If it errors again, mind posting Wazuh
logs from /var/log/wazuh/ ?
I’m out participating in some traditional post-thanksgiving consumerism but
can assist in troubleshooting further if needed a bit later.
…On Sun, Nov 26, 2023 at 16:46 Riley Nevins ***@***.***> wrote:
I did, actually! It's been awhile but here's my configuration
modifications, based upon reverse engineering Wazuh's documentation for
implementing Okta SAML SSO -- be sure to back up any changed Wazuh config
file so you can easily restore local login for troubleshooting (you will
likely need it).
In Authentik:
1. Go to Admin interface > Customization > Property Mappings > Create
SAML Property Mapping:
- Name: custom-wazuh-rolekey
- SAML attribute name: Role
- Expression: return ak_is_group_member(request.user,
name="wazuh-admins")
- Save
1. Go to Role > Group > Create
- Name: wazuh-admins
- Save
- Click on wazuh-admins group name > Users tab
- Add existing users
1. Go to Applications > Providers > Create SAML provider
- Type: SAML Provider
- Name: Wazuh
- Authentication flow: default-authentication-flow
- Authorization flow: default-provider-authorization-implicit-consent
- ACS URL: https://[wazuh URL]/_opendistro/_security/saml/acs
- Issuer: authentik
- Service Provider Binding: Post
- Audience: wazuh-saml
- Click Advanced protocol settings:
- Select a Signing certificate
- No Verification certificate
- Property mappings: custom-wazuh-rolekey
- NameID Property Mapping: authentik default SAML Mapping: Username
(Note: This assumes you want to map according to your Authentik
username; can be set to use email, but I'd stick with username).
- Assertion valid not before: minutes=-5
- Assertion valid not on or after: minutes=5
- Session valid not on or after= minutes=86400
- Dafault relay state: (blank)
- Digest algorithm: SHA256
- Signature algorithm: RSA-SHA256
- Save
1. Go to Applications > Create Application
- Name: Wazuh
- Slug: wazuh
- Provider: Wazuh
- Customize icon, etc.
- Save.
1. Click on System > Certificates
- Find the Signing certificate selected when you set up Wazuh provider
> Download private key
- Open file with a plain-text text editor (notepad/textedit/etc) >
delete the '-----BEGIN RSA PRIVATE KEY-----' header and '-----END RSA
PRIVATE KEY-----' footer. Make sure there are no returns or spaces or white
space
In Wazuh:
Wazuh Indexer Configuration:
1. Edit /etc/wazuh-indexer/opensearch-security/config.yml - Reference
settings below and/or follow this guide for STEP 1 ONLY; DON'T DO STEP 2
YET:
https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/okta.html#wazuh-indexer-configuration
- Set the order in basic_internal_auth_domain to 0 and the challenge
flag to false
- Go to your text editor that has
- Add the following block:
authc: kerberos_auth_domain: http_enabled: false transport_enabled:
false order: 6 http_authenticator: type: kerberos challenge: true config: #
If true a lot of kerberos/security related debugging output will be logged
to standard out krb_debug: false # If true then the realm will be stripped
from the user name strip_realm_from_principal: true authentication_backend:
type: noop saml_auth_domain: http_enabled: true transport_enabled: false
order: 1 http_authenticator: type: saml challenge: true config: idp:
metadata_url: "https://[AUTHENTIK
URL]/api/v3/providers/saml/12/metadata/?download" entity_id: "authentik"
sp: entity_id: wazuh-saml kibana_url: https://[WAZUH URL] roles_key:
Roles exchange_key:[PASTE SIGNING CERTIFICATE HERE]'
authentication_backend:
type: noop'
1. Go to Wazuh menu > Security > Roles Mapping
- Create Role Mapping
- Name: sso-admin
- Roles: Administrator
- Custom Rules:
- User field: backend, FIND, wazuh-admins
Optional, but recommended:
- User field: user_name, FIND, [your Authentik username]
- Save role mapping.
(Note: This may only be required if run_as is enabled in
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml but better to be
safe!)
In Wazuh CLI: */usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml*
- Confirm run_as is set to false
- Confirm URL is set to your Wazuh URL via DNS or IP:
https://10.0.0.100
*/etc/wazuh-indexer/opensearch-security/roles_mapping.yml*
-
Add "wazuh-admins" under backend roles: to the all access: role -
`all_access:
reserved: false
hidden: false
backend_roles:
- "admin"
- "wazuh-admins"`
- Save.
(Note: I also manually specified my user account name under users,
just to be sure I wouldn't lose access).
*/etc/wazuh-dashboard/opensearch_dashboards.yml*
- Add the following:
'opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs",
"/_opendistro/_security/saml/logout",
"/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false'
1. Ensuring you have backups or documentation of changes you made run
the following scripts:
export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash
/usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh
-f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key
/etc/wazuh-indexer/certs/admin-key.pem -cert
/etc/wazuh-indexer/certs/admin.pem -cacert
/etc/wazuh-indexer/certs/root-ca.pem -h localhost -nhnv and 'systemctl
restart wazuh-dashboard'
Then sign into Authentik User Interface with your account, and click on
your Wazah application.
Pay attention to any error messages, and it definitely helps to use a
browser in Private mode/clear your browser cache. Most troubleshooting will
be done via roles mapping in the webUI and/or
/etc/wazuh-indexer/opensearch-security/roles_mapping.yml.
Hope this helps! Let me know if this works for you. If it does, and there
are no security issues pointed out, I'll do a bit more clean-up, add
screenshots then open PR's on GH for Wazuh and Authentik documentation
additions.
I did follow your guide here and am somehow getting an invalid requestID
error. Any idea what this is in reference to (given the guide)?
image.png (view on web)
<https://github.com/wazuh/wazuh/assets/64431703/1294a144-be1b-4e85-8d51-c9a6c04533d3>
—
Reply to this email directly, view it on GitHub
<#16366 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/APSZUKHLD33DXPHWHMPZCDLYGPPHXAVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRWHE3DQNZYGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
We do see authorizations on Authentik's end (in green) making me think it was successful on that end of things, however, I did just restore our test VM back to a clean state prior to me adjusting authentication, I am going to try following the steps you provided again, and will report back! |
|
Looks like there might be a mixup somewhere with syntax (perhaps we're a bit outdated)! Here is an interesting line from the wazuh-dashboard service syslog, unsure how to resolve it however:
|
|
Looks like an issue with the authentication headers.
Could you post a screenshot of the SAML provider? Also ensure the Service
Provider Binding is POST.
Do you have Wazuh behind a proxy (NGINX)? May have to allow authentication
headers to be passed to the host?
…On Sun, Nov 26, 2023 at 17:57 Riley Nevins ***@***.***> wrote:
Looks like there might be a mixup somewhere with syntax (perhaps we're a
bit outdated)! Here is an interesting like from the wazuh-dashboard service
syslog, unsure how to resolve it however:
image.png (view on web)
<https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3>
—
Reply to this email directly, view it on GitHub
<#16366 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Here is the SAML provider on Authentik: Just to be safe I did edit our nginx proxy configuration to add |
|
Try unselecting all of the property mappings in the SAML provider. Might
help determine if the issue is with headers or not.
…On Sun, Nov 26, 2023 at 18:31 Riley Nevins ***@***.***> wrote:
Looks like an issue with the authentication headers. Could you post a
screenshot of the SAML provider? Also ensure the Service Provider Binding
is POST. Do you have Wazuh behind a proxy (NGINX)? May have to allow
authentication headers to be passed to the host?
… <#m_-3894006129319045839_>
On Sun, Nov 26, 2023 at 17:57 Riley Nevins *@*.*> wrote: Looks like there
might be a mixup somewhere with syntax (perhaps we're a bit outdated)! Here
is an interesting like from the wazuh-dashboard service syslog, unsure how
to resolve it however: image.png (view on web)
https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3
<https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3>
— Reply to this email directly, view it on GitHub <#16366 (comment)
<#16366 (comment)>>, or
unsubscribe
https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA
<https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA>
. You are receiving this because you were mentioned.Message ID: @.*>
Here is the SAML provider on Authentik:
image.png (view on web)
<https://github.com/wazuh/wazuh/assets/64431703/99fa0498-375d-435e-8e35-0991df415578>
image.png (view on web)
<https://github.com/wazuh/wazuh/assets/64431703/012aa954-14b4-4f3f-a9d1-c6bf75b2c344>
image.png (view on web)
<https://github.com/wazuh/wazuh/assets/64431703/24cb9c38-1945-4df4-a626-dd12d4cb5db6>
Just to be safe I did edit our nginx proxy configuration to add proxy_set_header
Authorization $http_authorization;.
—
Reply to this email directly, view it on GitHub
<#16366 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/APSZUKAYGPVTEZFC5KVGBJLYGP3O3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAZTGNJZGQ>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Seems to show the error |
|
Apologies for the delay -- had to clear off some space on my Wazuh instance
due to cron jobs not clearing log files. D'oh!
Thanks for being so thorough in your testing - this step tells us your
authentication headers are being passed as expected (theoretically).
So in looking a bit deeper into the issue, the fact that your browser isn't
being redirected from https://[wazuh URL]/_opendistro/_security/saml/acs
to https://[wazuh URL]/app/wazuh likely indicates an issue with the
settings in the /etc/wazuh-indexer/opensearch-security/config.yml
(specifically the SSL certificate hash is where I would look), or
the /etc/wazuh-dashboard/opensearch_dashboards.yml.
Feel free to post sanitized versions of the modifications/additions in both
files -- be sure not to reveal any confidential information. I would check
to ensure the SSL hash does not contain any carriage returns or spaces, as
the hash checking is quite strict.
My Wazuh instance is working on a shard migration job at the moment, but if
you're still having issues after checking the SSL certificate hash and
settings in the files, I'll try to recreate the issue when the migration
job is completed.
On Sun, Nov 26, 2023 at 6:56 PM Riley Nevins ***@***.***>
wrote:
… Try unselecting all of the property mappings in the SAML provider. Might
help determine if the issue is with headers or not.
… <#m_1550492064041555253_>
On Sun, Nov 26, 2023 at 18:31 Riley Nevins *@*.*> wrote: Looks like an
issue with the authentication headers. Could you post a screenshot of the
SAML provider? Also ensure the Service Provider Binding is POST. Do you
have Wazuh behind a proxy (NGINX)? May have to allow authentication headers
to be passed to the host? … <#m_-3894006129319045839_> On Sun, Nov 26, 2023
at 17:57 Riley Nevins @.> wrote: Looks like there might be a mixup
somewhere with syntax (perhaps we're a bit outdated)! Here is an
interesting like from the wazuh-dashboard service syslog, unsure how to
resolve it however: image.png (view on web)
https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3
<https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3>
https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3
<https://github.com/wazuh/wazuh/assets/64431703/2cc847de-2deb-4b9f-ae72-7cf7255246c3>
— Reply to this email directly, view it on GitHub <#16366
<#16366> (comment) <#16366 (comment)
<#16366 (comment)>>>, or
unsubscribe
https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA
<https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA>
https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA
<https://github.com/notifications/unsubscribe-auth/APSZUKFT2BZY2MZYAQ56SJTYGPXQ3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAYTENZSGA>
. You are receiving this because you were mentioned.Message ID: @.> Here is
the SAML provider on Authentik: image.png (view on web)
https://github.com/wazuh/wazuh/assets/64431703/99fa0498-375d-435e-8e35-0991df415578
<https://github.com/wazuh/wazuh/assets/64431703/99fa0498-375d-435e-8e35-0991df415578>
image.png (view on web)
https://github.com/wazuh/wazuh/assets/64431703/012aa954-14b4-4f3f-a9d1-c6bf75b2c344
<https://github.com/wazuh/wazuh/assets/64431703/012aa954-14b4-4f3f-a9d1-c6bf75b2c344>
image.png (view on web)
https://github.com/wazuh/wazuh/assets/64431703/24cb9c38-1945-4df4-a626-dd12d4cb5db6
<https://github.com/wazuh/wazuh/assets/64431703/24cb9c38-1945-4df4-a626-dd12d4cb5db6>
Just to be safe I did edit our nginx proxy configuration to add
proxy_set_header Authorization $http_authorization;. — Reply to this email
directly, view it on GitHub <#16366 (comment)
<#16366 (comment)>>, or
unsubscribe
https://github.com/notifications/unsubscribe-auth/APSZUKAYGPVTEZFC5KVGBJLYGP3O3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAZTGNJZGQ
<https://github.com/notifications/unsubscribe-auth/APSZUKAYGPVTEZFC5KVGBJLYGP3O3AVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGAZTGNJZGQ>
. You are receiving this because you were mentioned.Message ID: @.***>
Seems to show the error {"statusCode":400,"error":"Bad
Request","message":"Request must contain a osd-xsrf header."} with no
useful mappings selected (it didn't let me pick none so I opted for UNP as
a demo). Same result with picking any combination currently.
—
Reply to this email directly, view it on GitHub
<#16366 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/APSZUKBESFB6IGVPHECCFMTYGP6PTAVCNFSM6AAAAAAVYOOL66VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMRXGA2DQNRWGI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
--
--
Christopher Shaw
***@***.***
425.435.8440
|
Hey there, no problem at all! Ended up hopping off for the night shortly after I saw your reply. One thing I am a little confused on is the certificate- we haven't used a hashed version of the signing certificate's private key (and instead, just pasted in the contents of the entire private key as seen below (but removed all blank spacing and new lines, plus the header and footer).
I should note we're also back to this error on the web-browser end (configs above are in-use): |
I've configured SAML authentication integration with Authentik using the guides in the configuration manual here. When I log in using SAML, I see that the SAML account is granted admin permissions but not access to manage security settings, nor access to access to agents/data I configured using the local admin user.
I know that I'm very close to having this working, so if anyone could point me in the right direction, I will confirm and create documentation for Authentik SAML to be added to the installation guide -- hopefully this benefits us all! Thanks in advance!
Log entries:
/usr/share/wazuh-dashboard/data/wazuh/logs/wazuhapp.log
/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/config.yml
'> saml_auth_domain:
/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/roles_mapping.yml
/etc/wazuh-dashboard/opensearch_dashboards.yml
/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml
Authentik Settings
Applicable SAML metadata (certificate redacted):
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://authentik.[redacted]/application/saml/wazuh/slo/binding/redirect/"/><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://authentik.[redacted]/application/saml/wazuh/slo/binding/post/"/><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:X509SubjectName</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://authentik.[redacted]/application/saml/wazuh/sso/binding/redirect/"/><md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://authentik.[redacted]/application/saml/wazuh/sso/binding/post/"/></md:IDPSSODescriptor></md:EntityDescriptor>The text was updated successfully, but these errors were encountered: