Wazuh & Keycloak using OpenID


Use case:

Set up Keycloak (Version 26.0.5) for Authentication using the OpenID protocol in Wazuh (Version 4.9.1).

Keycloak Configuration:

  • Create a new OpenID Connect client, specify the Valid redirect URIs & Valid post logout redirect URIs to your Wazuh dashboard, and add a token mapper as shown below :
  • Create a Realm roles calling it Admin and assign the admin role:
  • Create a group and add admin in Role mapping:
  • Create a user and add it to the group:

Wazuh indexer configuration:

  • Configure the Wazuh indexer to use SAML by modifying /etc/wazuh-indexer/opensearch-security/config.yml (My real name is WazuhOpenID) :
_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: intern

      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            openid_connect_idp:
              enable_ssl: false
              verify_hostnames: false
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: http://192.168.121.1:8080/realms/WazuhOpenID/.well-known/openid-configuration
        authentication_backend:
          type: noop
  • Load the new security configuration
export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/^Cnfig.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h 192.168.121.97 -nhnv

Wazuh Dashboard configuration:

  • Set the openid authentication configuration by adding below to /etc/wazuh-dashboard/opensearch_dashboards.yml :
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.openid.connect_url: http://192.168.121.1:8080/realms/WazuhOpenID/.well-known/openid-configuration
opensearch_security.openid.base_redirect_url: https://192.168.121.97
opensearch_security.openid.client_id: wazuh-OpenID
  • Restart Wazuh dashboard: systemctl restart wazuh-dashboard

Demo:


Leave a Reply

Your email address will not be published. Required fields are marked *