This section describes how Wazuh can be integrated with several Identity Providers (IdP) to implement Single Sign-On (SSO).
The guide assumes you already have a Wazuh indexer and a Wazuh dashboard installation. To learn more, see the installation guide.
The following parameters are required to make the configurations on the Wazuh dashboard instance:
idp.metadata_url: URL to an XML file that contains metadata information about the application configured on the IdP side. It can be used instead of
idp.metadata_file: XML File that contains the metadata information about the application configured on the IdP side. It can be used instead of
idp.entity_id: Entity ID of the Identity Provider. This is a unique value assigned to an Identity Provider.
sp.entity_id: Entity ID of the Service Provider. This is a unique value assigned to a Service Provider.
kibana_url: URL to access the Wazuh dashboard.
roles_key: The attribute in the SAML assertion where the roles/groups are sent.
exchange_key: The key that will be used to sign the assertions. It must have at least 32 characters.
The group and role names used in this guide can be changed. They do not necessarily have to be the ones we used.
OpenSearch and the SAML assertion are case sensitive. Therefore the values on the IDP and in the SAML configuration of the Wazuh indexer have to be exactly the same.
It is recommended to clear the browser cache and cookies before the integration is carried out.
securityadminscript has to be executed with root user privileges
Administrator permissions are being assigned in this integration. The RBAC guide can be used to configure any other necessary roles based on the user requirements.
Each group that is generated in the IDPs can only be used as one
backend_role. In a case where other roles such as
read-onlyare needed, a new group will have to be created for this purpose.