habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c7963e4af760589cf3beef173f57fb9341fed9d6
authentik/website/integrations/services/wazuh/index.mdx
Dewi Roberts 856ac052e7 website/integrations: replaces all kbd and em tags (#14980) 
Replaces all kbd and em tags
2025-06-09 21:06:37 +01:00

227 lines
10 KiB
Plaintext
Raw Blame History

---
title: Integrate with Wazuh
sidebar_label: Wazuh
support_level: community
---
## What is Wazuh
> Wazuh is a security platform that aims to safeguard data assets across multiple environments including on-site, virtualized, containerized, and cloud-based.
>
> -- https://wazuh.com
## Preparation
The following placeholders are used in this guide:
- `wazuh-dashboard.company` is the FQDN of the Wazuh Dashboard installation.
- `wazuh-indexer.company` is the FQDN of the Wazuh Indexer installation
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Wazuh with authentik, you need to create a group, a property mapping, and an application/provider pair in authentik.
### Create a user group in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Directory** > **Groups** and click **Create**.
3. Set a name for the group (e.g. `wazuh-administrators`) and click **Create**.
4. Click the name of the newly created group and navigate to the **Users** tab.
5. Click **Add existing user**, select the user that needs Wazuh admin access and click **Add**.
### Create a property mapping in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Customization** > **Property Mappings** and click **Create**. Create a **SAML Provider Property Mapping** with the following settings:
- **Name**: Choose a descriptive name
- **SAML Attribute Name**: `Roles`
- **Friendly Name**: Leave blank
- **Expression**: `wazuh-administrators` is used a placeholder for the group name.
```python
if ak_is_group_member(request.user, name="wazuh-administrators"):
yield "wazuh-admin"
```
3. Click **Finish**.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name (e.g., `Wazuh`), an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: Select **SAML Provider** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- **ACS URL**: `https://wazuh-dashboard.company/\_opendistro/\_security/saml/acs`
- **Issuer**: `wazuh-saml`
- **Service Provider Binding**: `Post`
- Under **Advanced protocol settings**:
- **Property Mappings**: add the **Property Mapping** you created in the previous section.
- **NameID Property Mapping**: select a property mapping that will be used for Wazuh usernames (e.g. `authentik default SAML Mapping: Name` or `authentik default SAML Mapping: Email`)
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
### Download metadata file
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Providers** and click on the name of the provider that you created in the previous section (e.g. `Provider for wazuh`).
3. Under **Related objects** > **Metadata**, click on **Download**. This downloaded file is your `SAML Metadata` file and it will be required in the next section.
## Wazuh configuration
To support the integration of authentik with Wazuh, you will need to configure SAML authentication on the Wazuh Indexer server and create role mappings on the Wazuh Dashboard server.
### Wazuh Indexer SAML configuration
:::note
The file `wazuh_authentik_meta.xml` serves as a placeholder for your SAML Metadata file. Ensure that the filename used in this context matches the name of your SAML Metadata file.
:::
1. For the next step, you will need an exchange key. To generate this key, use the following command:
```bash
openssl rand -hex 32
```
2. Copy the downloaded metadata file to the `/etc/wazuh-indexer/opensearch-security/` directory on your Wazuh Indexer server.
3. Change the ownership of the `wazuh_authentik_meta.xml` file to the `wazuh-indexer` user using the following command:
```bash
chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/wazuh_authentik_meta.xml
```
4. Edit the `/etc/wazuh-indexer/opensearch-security/config.yml` on your Wazuh Indexer server.
Add a `saml_auth_domain` section after the `basic_internal_auth_domain` section. For example:
```yaml {7,10,13-30} showLineNumbers title="/etc/wazuh-indexer/opensearch-security/config.yml"
---
authc:
basic_internal_auth_domain:
description: "Authenticate SAML against internal users database"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
saml_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: "/etc/wazuh-indexer/opensearch-security/wazuh_authentik_meta.xml"
entity_id: "wazuh-saml"
sp:
entity_id: "wazuh-saml"
kibana_url: "https://wazuh-dashboard.company/"
roles_key: Roles
exchange_key: "<exchange key generated in step 1>"
authentication_backend:
type: noop
```
:::note
Ensure that you set the following parameters in the `basic_internal_auth_domain` section: `order: 0` and `challenge: false`
And the `metadata_file`, `kibana_url`, and `exchange_key` parameters in the `saml_auth_domain` section.
:::
5. Run the `securityadmin.sh` script to load the configuration changes made in the `/etc/wazuh-indexer/opensearch-security/config.yml` file, ensure that you update the `-h` flag to your Wazuh Indexer FQDN:
```bash
export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/config.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h wazuh-indexer.company -nhnv
```
6. Edit the `/etc/wazuh-indexer/opensearch-security/roles_mapping.yml` file and include `wazuh_admin` as a `backend_role` in the appropriate section. The following example adds the role to the `all_access` section:
```yaml showLineNumbers title="/etc/wazuh-indexer/opensearch-security/roles_mapping.yml"
all_access:
reserved: true
hidden: false
backend_roles:
// highlight-next-line
- "wazuh-admin"
- "admin"
hosts: []
users: []
and_backend_roles: []
description: "Maps admin to all_access"
```
7. Run the `securityadmin.sh` script again but with the `-f` flag set to `/etc/wazuh-indexer/opensearch-security/roles_mapping.yml`, ensure that you update the `-h` flag to your Wazuh Indexer FQDN:
```bash
export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /etc/wazuh-indexer/opensearch-security/roles_mapping.yml -icl -key /etc/wazuh-indexer/certs/admin-key.pem -cert /etc/wazuh-indexer/certs/admin.pem -cacert /etc/wazuh-indexer/certs/root-ca.pem -h wazuh-indexer.company{" "} -nhnv
```
### Wazuh dashboard configuration
1. On the Wazuh Dashboard server, check the value of `run_as` in the `/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml` configuration file:
```yaml showLineNumbers title="/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml"
hosts:
- default:
url: https://127.0.0.1
port: 55000
username: wazuh-wui
password: "<WAZUH_WUI_PASSWORD>"
// highlight-next-line
run_as: false
```
The `run_as` parameter when set to true, enables the assignment of roles to users based on authorization context information. See the (Wazuh Authorization Context documentation)[https://documentation.wazuh.com/current/user-manual/api/rbac/auth-context.html] for more information.
If `run_as` is set to `false`, proceed to step 4. If `run_as` is set to `true`, proceed with the following steps to add a role mapping on the Wazuh dashboard.
2. On the Wazuh dashboard click the upper-left menu icon ☰ to open the menu, go to **Server management** -> **Security** -> **Roles mapping**
3. Click **Create Role mapping** and configure the following parameters:
- **Role Name**: set a name for the role mapping (e.g. authentik_admins)
- **Roles**: select a role (e.g.`administrator`)
- **Custom rules**: Click **Add new rule** and set:
- **User field**: `backend_roles`
- **Search operation**: `FIND`
- **Value**: `wazuh-admin`
Click **Save role mapping**
4. On the Wazuh Dashboard server, add these lines to the `/etc/wazuh-dashboard/opensearch_dashboards.yml` file:
```yaml showLineNumbers
opensearch_security.auth.type: "saml"
server.xsrf.allowlist:
[
"/_opendistro/_security/saml/acs",
"/_opendistro/_security/saml/logout",
"/_opendistro/_security/saml/acs/idpinitiated",
]
opensearch_security.session.keepalive: false
```
5. Restart the Wazuh dashboard service using the following command:
```bash
sudo systemctl restart wazuh-dashboard
```
## Configuration verification
To confirm that authentik is properly configured with Wazuh, log out and log back in using an account that is a member of the appropriate authentik group (e.g. `wazuh-administrators`).
Reference in New Issue View Git Blame Copy Permalink