Getting 401 Unauthorized when trying to Access Wazuh Dashboard via Authentik SAML SSO

[Videothek]

Wazuh version	Component	Install type	Install method	Platform
v4.5.2-40505	Wazuh Dashboard	Manager	apt-Package	Ubuntu 22.04

I have configured Wazuh for SSO use via SAML according to the offical Wazuh Documentation and with a little help from the following Github Issue #16366 .

When I am trying to log into the Wazuh Dashboard it seems like that the Authentik Login is working but then it redirects me to the following page:

My /etc/wazuh-indexer/opensearch-security/config.yml config file has this section for the saml auth:

      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: "Authentik Metadata File Download URL"
              entity_id: "Authentik URL"
            sp:
              entity_id: wazuh-saml
            kibana_url: https://wazuh_URL/app/wazuh
            roles_key: Roles
            exchange_key: 'x509 Certificate for signing the request'
        authentication_backend:
          type: noop

In Authentik I tested POST and REDIRECT as Service Provider Binding but both yielded the same result.

I configured https://wazuh_URL/_opendistro/_security/saml/acs/idpinitiated as ACS URL and wazuh-saml as Issuer in Authentik.

Does anyone had the same issue and know how to fix it?

Thank you in Advance.

[Videothek]

Does anyone had the same challenge as me?

And if not, i would be happy to know what i overlooked to use SSO with my Wazuh instace 😄.

[maikroservice]

did you add the backend role to your roles_mapping.yml? and add a role mapping inside of wazuh security (https://documentation.wazuh.com/current/_images/Wazuh-role-mapping7.png / https://documentation.wazuh.com/current/_images/Wazuh-role-mapping1.gif)

oh and push that configuration to your wazuh instance afterwards via

export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h localhost -nhnv

# plus restart dashboard afterwards
systemctl restart wazuh-dashboard

# roles_mapping.yml
all_access:
  reserved: false
  hidden: false
  backend_roles:
    #- "wazuh-admins"
  - "admin"
  hosts: []
  users: []
  and_backend_roles: []
  description: "Maps SAML admin to all_access"

[Videothek]

did you add the backend role to your roles_mapping.yml? and add a role mapping inside of wazuh security (https://documentation.wazuh.com/current/_images/Wazuh-role-mapping7.png / https://documentation.wazuh.com/current/_images/Wazuh-role-mapping1.gif)

oh and push that configuration to your wazuh instance afterwards via

export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h localhost -nhnv

# plus restart dashboard afterwards
systemctl restart wazuh-dashboard

# roles_mapping.yml
all_access:
  reserved: false
  hidden: false
  backend_roles:
    #- "wazuh-admins"
  - "admin"
  hosts: []
  users: []
  and_backend_roles: []
  description: "Maps SAML admin to all_access"

In my case run_as was set to false, thats why i assumed that i didnt need to add the role mapping. Since i am not able to open the web ui, i need to figure out how to open it to add the role mapping. I will update this issue if i was able to do it.

My roles_mapping.yaml has the following lines:

all_access:
  reserved: true
  hidden: false
  backend_roles:
  - "admin"
  - "Admin"
  hosts: []
  users: []
  and_backend_roles: []
  description: "Maps admin to all_access"

(I just copied the all_access part)

I added the Admin role, because my Authentik Account is part of this group.

I also set a property mapping in Authentik:

for group in user.ak_groups.all():
    yield group.name
if ak_is_group_member(request.user, name="Admin"):
    yield "admin"

Thank you for your answer, i will try the part with the role mapping in the web ui.

[Videothek]

did you add the backend role to your roles_mapping.yml? and add a role mapping inside of wazuh security (https://documentation.wazuh.com/current/_images/Wazuh-role-mapping7.png / https://documentation.wazuh.com/current/_images/Wazuh-role-mapping1.gif)

oh and push that configuration to your wazuh instance afterwards via

export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h localhost -nhnv

# plus restart dashboard afterwards
systemctl restart wazuh-dashboard

# roles_mapping.yml
all_access:
  reserved: false
  hidden: false
  backend_roles:
    #- "wazuh-admins"
  - "admin"
  hosts: []
  users: []
  and_backend_roles: []
  description: "Maps SAML admin to all_access"

Ok so i managed to access the web ui and create the role mapping as shown in the link you sent: https://documentation.wazuh.com/current/_images/Wazuh-role-mapping7.png

Unfortunately it yields the same result as before.

Thank you anyways.

Do you have any other idea?

Do you use Authentik as SSO Provider for your Wazuh Instance?

[maikroservice]

I tried to setup authentik and wazuh but failed and now use keycloak which was much easier to setup for me 😅

General question - have you checked logs for the 401 and possible hints in the stack traces?

e.g. journalctl -f -u wazuh-dashboard and then try to access the dashboard

What helped me when I first had 500 errors and then 401's was to go through the process from scratch with a new tenant/realm again.

This made sure that all the necessary setup steps were in order on the authentik side and when you keep the changes on the wazuh side you can drill down into possible failure szenarios.

401 indicates that the backend roles from authentik are not "synced" to wazuh and therefore your user does not have access to the dashboard.

https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/keycloak.html

You could use this documentation as a baseline for "what needs to happen" and make sure that the securityadmin script is run (as root/sudo) every time you update your config.yml / roles_mapping.yml

[Videothek]

Running journalctl -f -u wazuh-dashboard when trying to login shows following:

Nov 07 15:24:58 wazuh opensearch-dashboards[740862]: {"type":"response","@timestamp":"2023-11-07T14:24:58Z","tags":[],"pid":740862,"method":"get","statusCode":401,"req":{"url":"/_opendistro/_security/saml/acs/idpinitiated?SAMLResponse=very_long_string_of_characters %3D%3D","method":"get","headers":{"host":"wazuh_dashboard_url","connection":"close","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8","accept-language":"de,en-US;q=0.7,en;q=0.3","accept-encoding":"gzip, deflate, br","upgrade-insecure-requests":"1","sec-fetch-dest":"document","sec-fetch-mode":"navigate","sec-fetch-site":"cross-site"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0"},"res":{"statusCode":401,"responseTime":2,"contentLength":9},"message":"GET /_opendistro/_security/saml/acs/idpinitiated?SAMLResponse=very_long_string_of_characters 401 2ms - 9.0B"}

My Wazuh installation was very new and i worked before thats why i think this shouldn´t be the problem, but you never know...

The remote address shows 127.0.0.1 because i am running Wazuh behind a Nginx proxy on the same system.

I also looked at https://documentation.wazuh.com/current/user-manual/user-administration/single-sign-on/administrator/keycloak.html and i added some extra steps that were mentioned.

I am also running the script after every update of the config files as shown in the offical Wazuh docs.

I am fully "invested" in Authentik since i am running all my SAML and OpenID requests with it.

Thats why it would be nice to get it working with Authentik.

Thank you for your response.

[maikroservice]

add me on discord @maikroservice and we can debug interactively

[Videothek]

@maikroservice and i got it figured out.

A detailed step by step guide can be read on @maikroservice blog.

In Authentik you have to configure your provider like this:

The Wazuh Admin Mapping looks like this:

The Authentik group i want to have access to wazuh is called Admin (change this group with the one that fits your configuration).

On Wazuh side i configured things like this:

Added the following to /etc/wazuh-indexer/opensearch-security/config.yml:

      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: "https://your_authentik_metadata_download_url/"
              entity_id: "wazuh-saml"
            sp:
              entity_id: "wazuh-saml"
            kibana_url: "https://your_wazuh_url/"
            roles_key: Roles
            exchange_key: "X509_certificate_part_from_authentik_metadata_file"
        authentication_backend:
          type: noop

/etc/wazuh-indexer/opensearch-security/roles_mapping.yml:

all_access:
  reserved: true
  hidden: false
  backend_roles:
  - "admin"
  hosts: []
  users: []
  and_backend_roles: []
  description: "Maps admin to all_access"

Added the following to /etc/wazuh-dashboard/opensearch_dashboards.yml:

opensearch_security.auth.type: "saml"
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false

And finally the following Role Mapping within Wazuh Dashbaord:

This should be all you need to configure.

Dont forget to follow the wazuh saml documentation step by step and add the values from this issue according to your configuration.