Testing SAML with ROR Enterprise

Get started with ReadonlyREST Enterprise and SAML in a localhost testbed

ROR Team

Aug 5, 2023

getting started Security

TABLE OF CONTENTS

Run Keycloak

Keycloak configuration

Certificate setup

Configuring ReadonlyREST

In action

This is a really quick bunch of notes on how to get an experimental SAML IdP to work with ROR Enterprise for quick testing or product evaluation.

Run Keycloak

Download Keycloak (this was tested with version 16.1.0).

Unpack it locally in a folder.

Then run the standalone server like so:

bin/standalone -b 0.0.0.0

Keycloak configuration

The administrative UI is under this URL:

http://localhost:8080/auth/admin

If you can’t log in because you forgot the credentials, reset the admin password:

./bin/add-user-keycloak.sh -r master -u admin -p admin

You have to create:

A ror realm

With a ror client of type SAML

With roughly these settings:

Make sure you have users inside the ror SAML client

Click on the “ror” name and make sure you have at least a user associated to it

Certificate setup

Copy the certificate base64 representation as a string, and dump it into the kibana.yml file in the “cert” field.

Now you should be able to run Kibana with ReadonlyREST Enterprise

Configuring ReadonlyREST

Make sure you have a running ELK stack, with ReadonlyREST Enterprise installed in Kibana and ReadonlyREST Free installed in Elasticsearch.

This is a configuration example is straight from development environment. It assumes Kibana and Keycloak run in localhost. Make sure yours is similar to this for the “auth” part:


readonlyrest_kbn:

    cookiePass: '12312313123213123213123adadasdasdasd'
    logLevel: 'trace'
    clearSessionOnEvents: [login, tenancyHop]

    auth:
        signature_key: "9yzBfnLaTYLfGPzyKW9es76RKYhUVgmuv6ZtehaScj5msGpBpa5FWpwk295uJYaaffTFnQC5tsknh2AguVDaTrqCLfM5zCTqdE4UGNL73h28Bg4dPrvTAFQyygQqv4xfgnevBED6VZYdfjXAQLc8J8ywaHQQSmprZqYCWGE6sM3vzNUEWWB3kmGrEKa4sGbXhmXZCvL6NDnEJhXPDJAzu9BMQxn8CzVLqrx6BxDgPYF8gZCxtyxMckXwCaYXrxAGbjkYH69F4wYhuAdHSWgRAQCuWwYmWCA6g39j4VPge5pv962XYvxwJpvn23Y5KvNZ5S5c6crdG4f4gTCXnU36x92fKMQzsQV9K4phcuNvMWkpqVB6xMA5aPzUeHcGytD93dG8D52P5BxsgaJJE6QqDrk3Y2vyLw9ZEbJhPRJxbuBKVCBtVx26Ldd46dq5eyyzmNEyQGLrjQ4qd978VtG8TNT5rkn4ETJQEju5HfCBbjm3urGLFVqxhGVawecT4YM9Rry4EqXWkRJGTFQWQRnweUFbKNbVTC9NxcXEp6K5rSPEy9trb5UYLYhhMJ9fWSBMuenGRjNSJxeurMRCaxPpNppBLFnp8qW5ezfHgCBpEjkSNNzP4uXMZFAXmdUfJ8XQdPTWuYfdHYc5TZWnzrdq9wcfFQRDpDB2zX5Myu96krDt9vA7wNKfYwkSczA6qUQV66jA8nV4Cs38cDAKVBXnxz22ddAVrPv8ajpu7hgBtULMURjvLt94Nc5FDKw79CTTQxffWEj9BJCDCpQnTufmT8xenywwVJvtj49yv2MP2mGECrVDRmcGUAYBKR8G6ZnFAYDVC9UhY46FGWDcyVX3HKwgtHeb45Ww7dsW8JdMnZYctaEU585GZmqTJp2LcAWRcQPH25JewnPX8pjzVpJNcy7avfA2bcU86bfASvQBDUCrhjgRmK2ECR6vzPwTsYKRgFrDqb62FeMdrKgJ9vKs435T5ACN7MNtdRXHQ4fj5pNpUMDW26Wd7tt9bkBTqEGf"

        saml_kc:
            buttonName: "KeyCloak SAML SSO"
            enabled: true
            type: "saml"
            issuer: "ror"
            entryPoint: "http://localhost:8080/auth/realms/ror/protocol/saml"
            kibanaExternalHost: 'localhost:5601'
            protocol: "https"
            usernameParameter: "nameID"
            groupsParameter: "Role"
            logoutUrl: "http://localhost:8080/auth/realms/ror/protocol/saml"
            cert: "MIIClTCCAX0CBgGAkyzPIDANBgkqhkiG9w0BAQsFADAOMQwwCgYDVQQDDANyb3IwHhcNMjIwNTA1MDc0MjA5WhcNMzIwNTA1MDc0MzQ5WjAOMQwwCgYDVQQDDANyb3IwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCigkWUUB/kHBe76u6CxDK/W2kbqCfcZbWrCrMpQH5ESQC5YqG/WzObusaw5lWiGThzqJPFVXxbDnS+uh56ROw27TpxsSMwgyD2GpW42yl2G0Jrf3HYKskmFnrcy2PMTml8DbyGC3v59RRxVv2XR32cE3BeiID4WFhIcsWjrKTjB+0U+rhrocRXG+dalxiT0dyE1wgwkcEGCZu8vnKRYmC5sazw9xDWAZVcN+SKQweRMWu4ZO6TcrtIERT8NrswUlqij0c1VbmmC3qraK5Lmfn8QCE7ZDH17o8n8HyGBoETnQUHcfL9fFHF/cD/+CnjWocBAX0rjLBnl5S3IuaWT78xAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAIgtUSteWw6ZVlpfV5ATkF1o9ZPcJj4KZ+BNfcB5UIcCPCONvO3GiHskCbHTSFSFtBEaxe1mLb2MEptqG0OVDOUtZtoOqWIc2KIObzkgBtOmLmt/modDlRbTzeoNwV4oiwz36VvoY1urxJYglUzQMQVJhEYPw5sxb/Yxj/4nUSgtF9ohVsEJCa0N+WSSykT87M1Afm/kKOO8hS7iGv7+SpSHfAXKQBHXQ4cLOuLoAs6OPPO0/U+XTdvEchXIrh24VPJAG+i5Y/kPkFbQciw8ULpMmwCSWH8W5vXAUfQMSJ47UkfD3TpzAZKNeSVGtwWv6i0EUrpXoPNC/+yuPuTWoQg="

And the readonlyrest.yml (on the Elasticsearch side) should contain a ror_kbn definition and a specific ACL block using it.


readonlyrest:
	access_control_rules:
	- name: "ReadonlyREST Enterprise instance #1"
	    kibana_index: ".kibana_external_auth"
	    ror_kbn_auth:
	      name: "kbn1"
	
	
	  ror_kbn:
	  - name: kbn1
	    signature_key: "9yzBfnLaTYLfGPzyKW9es76RKYhUVgmuv6ZtehaScj5msGpBpa5FWpwk295uJYaaffTFnQC5tsknh2AguVDaTrqCLfM5zCTqdE4UGNL73h28Bg4dPrvTAFQyygQqv4xfgnevBED6VZYdfjXAQLc8J8ywaHQQSmprZqYCWGE6sM3vzNUEWWB3kmGrEKa4sGbXhmXZCvL6NDnEJhXPDJAzu9BMQxn8CzVLqrx6BxDgPYF8gZCxtyxMckXwCaYXrxAGbjkYH69F4wYhuAdHSWgRAQCuWwYmWCA6g39j4VPge5pv962XYvxwJpvn23Y5KvNZ5S5c6crdG4f4gTCXnU36x92fKMQzsQV9K4phcuNvMWkpqVB6xMA5aPzUeHcGytD93dG8D52P5BxsgaJJE6QqDrk3Y2vyLw9ZEbJhPRJxbuBKVCBtVx26Ldd46dq5eyyzmNEyQGLrjQ4qd978VtG8TNT5rkn4ETJQEju5HfCBbjm3urGLFVqxhGVawecT4YM9Rry4EqXWkRJGTFQWQRnweUFbKNbVTC9NxcXEp6K5rSPEy9trb5UYLYhhMJ9fWSBMuenGRjNSJxeurMRCaxPpNppBLFnp8qW5ezfHgCBpEjkSNNzP4uXMZFAXmdUfJ8XQdPTWuYfdHYc5TZWnzrdq9wcfFQRDpDB2zX5Myu96krDt9vA7wNKfYwkSczA6qUQV66jA8nV4Cs38cDAKVBXnxz22ddAVrPv8ajpu7hgBtULMURjvLt94Nc5FDKw79CTTQxffWEj9BJCDCpQnTufmT8xenywwVJvtj49yv2MP2mGECrVDRmcGUAYBKR8G6ZnFAYDVC9UhY46FGWDcyVX3HKwgtHeb45Ww7dsW8JdMnZYctaEU585GZmqTJp2LcAWRcQPH25JewnPX8pjzVpJNcy7avfA2bcU86bfASvQBDUCrhjgRmK2ECR6vzPwTsYKRgFrDqb62FeMdrKgJ9vKs435T5ACN7MNtdRXHQ4fj5pNpUMDW26Wd7tt9bkBTqEGf"

Notice signature_key fields have the same random value in both YAML files, so they share a secret and can validate the requests.