Skip to content

Instantly share code, notes, and snippets.

@andrew-qa

andrew-qa/eck_okta_oidc.md

Last active August 4, 2023 07:09
Show Gist options
  • Save andrew-qa/db358fbfbc14747d40fda39e33db2781 to your computer and use it in GitHub Desktop.
Save andrew-qa/db358fbfbc14747d40fda39e33db2781 to your computer and use it in GitHub Desktop.
Download ZIP
ECK Okta OIDC settings
Raw
eck_okta_oidc.md

Starting point: https://www.elastic.co/blog/how-to-set-up-openid-connect-on-elastic-cloud-with-azure-google-okta#okta

First of all, you should have Elastic license from Platinum and higher in order to use SSO of any kind. So check yoour license.

If you're eligible for SSO then start with congiuration:

  1. Install ECK. E.g. using this method https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-deploy-eck.html
  2. Deploy Elasticsearch CRD. E.g. https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-deploy-elasticsearch.html
  3. Add proper app to the OKTA and get Client ID and Client secret
  4. Add kubernetes secret with OIDC client secret.
echo "<YOUR SECRET>" > xpack.security.authc.realms.oidc.oidc1.rp.client_secret
kubectl create secret generic okta-eck-secret --from-file=xpack.security.authc.realms.oidc.oidc1.rp.client_secret -n <YOUR NAMESPACE>
  1. In order to enabled OIDC add proper config to your elasticsearch.yaml and apply changes to cluster:
spec:
  version: 7.10.2
  secureSettings:
  - secretName: okta-eck-secret
  nodeSets:
  - name: default
    count: 3
    config:
      xpack:
        security:
          enabled: true
          authc:
            token.enabled: true
            realms:
              oidc:
                oidc1:
                  order: 2
                  rp.client_id: "<YOUR OKTA ID>"
                  rp.response_type: "code"
                  rp.requested_scopes: ["openid", "email"]
                  rp.redirect_uri: "<YOUR KIBANA URL WITH HTTP/S>/api/security/v1/oidc"
                  op.issuer: "<YOUR OKTA ISSUES URL"
                  op.authorization_endpoint: "<YOUR KIBANA URL WITH HTTP/S>oauth2/v1/authorize"
                  op.token_endpoint: "<YOUR KIBANA URL WITH HTTP/S>/oauth2/v1/token"
                  op.userinfo_endpoint: <YOUR KIBANA URL WITH HTTP/S>m/oauth2/v1/userinfo"
                  op.endsession_endpoint: "<YOUR KIBANA URL WITH HTTP/S>/oauth2/v1/logout"
                  op.jwkset_path: "<YOUR KIBANA URL WITH HTTP/S>/oauth2/v1/keys"
                  claims.principal: email
                  claim_patterns.principal: "^([^@]+)@<YOUR DOMAIN>\\.com$"
  1. Then create role mapping. Find Elasticsearch service in your k8s cluster, something like yourname-es-http. And send request like this from a pod in the same cluster:
curl  -u "elastic:<YOUR PASSWORD>" -X POST -k "https://yourname-es-http.logging.svc:9200/_xpack/security/role_mapping/oidc_kibana" -H 'Content-Type: application/json' -d '
{ 
    "enabled": true, 
    "roles": [ "superuser" ],  
    "rules" : { 
      "all" : [ 
        { 
          "field" : { 
            "realm.name" : "oidc1" 
          } 
        }, 
        { 
          "field" : { 
            "username" : "*"
          } 
        } 
      ] 
    }, 
    "metadata": { "version": 1 } 
}
'
  1. Then update kibana.yaml and apply changes to cluster:
spec:
config:
  xpack.security.authc.providers:
    oidc.oidc1:
      order: 0
      realm: oidc1
      description: "Log in with Okta"
    basic.basic1:
      order: 1
  1. And you should be all set.

I hope it was helpful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment