-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Getting 401 Unauthorized when trying to Access Wazuh Dashboard via Authentik SAML SSO #19623
Comments
Does anyone had the same challenge as me? And if not, i would be happy to know what i overlooked to use SSO with my Wazuh instace 😄. |
did you add the backend role to your roles_mapping.yml? and add a role mapping inside of wazuh security (https://documentation.wazuh.com/current/_images/Wazuh-role-mapping7.png / https://documentation.wazuh.com/current/_images/Wazuh-role-mapping1.gif) oh and push that configuration to your wazuh instance afterwards via
|
In my case run_as was set to false, thats why i assumed that i didnt need to add the role mapping. Since i am not able to open the web ui, i need to figure out how to open it to add the role mapping. I will update this issue if i was able to do it. My roles_mapping.yaml has the following lines:
(I just copied the all_access part) I added the Admin role, because my Authentik Account is part of this group. I also set a property mapping in Authentik:
Thank you for your answer, i will try the part with the role mapping in the web ui. |
Ok so i managed to access the web ui and create the role mapping as shown in the link you sent: https://documentation.wazuh.com/current/_images/Wazuh-role-mapping7.png Unfortunately it yields the same result as before. Thank you anyways. Do you have any other idea? Do you use Authentik as SSO Provider for your Wazuh Instance? |
I tried to setup authentik and wazuh but failed and now use keycloak which was much easier to setup for me 😅 General question - have you checked logs for the 401 and possible hints in the stack traces? e.g. What helped me when I first had 500 errors and then 401's was to go through the process from scratch with a new tenant/realm again. This made sure that all the necessary setup steps were in order on the authentik side and when you keep the changes on the wazuh side you can drill down into possible failure szenarios. 401 indicates that the backend roles from authentik are not "synced" to wazuh and therefore your user does not have access to the dashboard. You could use this documentation as a baseline for "what needs to happen" and make sure that the |
Running
My Wazuh installation was very new and i worked before thats why i think this shouldn´t be the problem, but you never know... The remote address shows 127.0.0.1 because i am running Wazuh behind a Nginx proxy on the same system. I also looked at https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/keycloak.html and i added some extra steps that were mentioned. I am also running the script after every update of the config files as shown in the offical Wazuh docs. I am fully "invested" in Authentik since i am running all my SAML and OpenID requests with it. Thats why it would be nice to get it working with Authentik. Thank you for your response. |
add me on discord @maikroservice and we can debug interactively |
@maikroservice and i got it figured out. A detailed step by step guide can be read on @maikroservice blog. In Authentik you have to configure your provider like this: The Wazuh Admin Mapping looks like this: The Authentik group i want to have access to wazuh is called Admin (change this group with the one that fits your configuration). On Wazuh side i configured things like this: Added the following to
Added the following to
And finally the following Role Mapping within Wazuh Dashbaord: This should be all you need to configure. Dont forget to follow the wazuh saml documentation step by step and add the values from this issue according to your configuration. |
I have configured Wazuh for SSO use via SAML according to the offical Wazuh Documentation and with a little help from the following Github Issue #16366 .
When I am trying to log into the Wazuh Dashboard it seems like that the Authentik Login is working but then it redirects me to the following page:
My
/etc/wazuh-indexer/opensearch-security/config.yml
config file has this section for the saml auth:In Authentik I tested POST and REDIRECT as Service Provider Binding but both yielded the same result.
I configured
https://wazuh_URL/_opendistro/_security/saml/acs/idpinitiated
as ACS URL andwazuh-saml
as Issuer in Authentik.Does anyone had the same issue and know how to fix it?
Thank you in Advance.
The text was updated successfully, but these errors were encountered: