Google SSO (v4.10)

[taco-ops]

Greetings!

I used the basis of envs/aws to create a deployment for GKE, which works as intended. The issue I am currently facing is I have attempted to adapt the instructions for enabling Google SSO from the documentation on the site.

I mounted the config under /usr/share/wazuh-indexer/opensearch-security/config.yml in the indexer-sts.yaml file and can confirm it is available when the pods are running:

authc:
      basic_internal_auth_domain:
        description: "Authenticate via HTTP Basic against internal users database"
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: "intern"
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: '/usr/share/wazuh-indexer/opensearch-security/GoogleIDPMetadata.xml'
              entity_id: 'https://accounts.google.com/o/saml2?idpid=XXXXXX'
            sp:
              entity_id: wazuh-saml
            kibana_url: https://wazuh-dashboard.mycooldomain.com
            roles_key: Roles
            exchange_key: 'c95e2e7f909c1c0da4b06de0420a6848628d10c05c89bceebe7dfff618c78002'
        authentication_backend:
          type: noop

The /usr/share/wazuh-indexer/opensearch-security/GoogleIDPMetadata.xml file is also mounted and available when the indexer pods are running.

I updated the opensearch_dashboards.yml file to include these settings

server.host: 0.0.0.0
server.port: 5601
opensearch.hosts: https://indexer:9200
opensearch.ssl.verificationMode: none
opensearch.requestHeadersWhitelist: [ authorization,securitytenant ]
opensearch_security.multitenancy.enabled: false
opensearch_security.readonly_mode.roles: ["kibana_read_only"]
server.ssl.enabled: true
server.ssl.key: "/usr/share/wazuh-dashboard/certs/key.pem"
server.ssl.certificate: "/usr/share/wazuh-dashboard/certs/cert.pem"
opensearch.ssl.certificateAuthorities: ["/usr/share/wazuh-dashboard/certs/root-ca.pem"]
uiSettings.overrides.defaultRoute: /app/wz-home
opensearch_security.auth.type: ["basicauth", "saml"]
server.xsrf.allowlist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/_opendistro/_security/saml/acs/idpinitiated"]
opensearch_security.session.keepalive: false
opensearch_security.auth.multiple_auth_enabled: true

When checking the Dashboard logs, I can see that the GoogleHC/1.0 User-Agent is receiving a 200 HTTP status code

{"type":"response","@timestamp":"2025-03-11T17:05:30Z","tags":[],"pid":56,"method":"get","statusCode":200,"req":{"url":"/app/login","method":"get","headers":{"host":"10.28.5.28","user-agent":"GoogleHC/1.0","connection":"Keep-a │
│ live"},"remoteAddress":"35.191.206.114","userAgent":"GoogleHC/1.0"},"res":{"statusCode":200,"responseTime":13,"contentLength":9},"message":"GET /app/login 200 13ms - 9.0B"}

However, when I go click on the Single Sign On button to login, I get an Internal Server Error in my browser. I can see the following log entries in the dashboard logs

{"type":"response","@timestamp":"2025-03-11T16:42:45Z","tags":[],"pid":56,"method":"get","statusCode":401,"req":{"url":"/api/v1/configuration/account?dataSourceId=","method":"get","headers":{"host":"wazuh-dashboard.mycooldomain.com │
│ ","osd-version":"2.16.0","sec-ch-ua-platform":"\"macOS\"","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","sec-ch-ua":"\"Google Chrome\";v=\" │
│ 131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"","content-type":"application/json","sec-ch-ua-mobile":"?0","osd-xsrf":"osd-fetch","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":" │
│ empty","referer":"https://wazuh-dashboard.mycooldomain.com/app/login?nextUrl=%2F","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9","priority":"u=1, i","x-cloud-trace-context":"b22ae906e2cd66ab0eaf9b4e1 │
│ 25b2201/7613392806260463384","via":"1.1 google","x-forwarded-for":"108.253.243.18, 34.50.255.100","x-forwarded-proto":"https","connection":"Keep-Alive"},"remoteAddress":"35.191.41.87","userAgent":"Mozilla/5.0 (Macintosh; Intel │
│  Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","referer":"https://wazuh-dashboard.mycooldomain.com/app/login?nextUrl=%2F"},"res":{"statusCode":401,"responseTime":2,"contentLength":9},"mess │
│ age":"GET /api/v1/configuration/account?dataSourceId= 401 2ms - 9.0B"}                                                                                                                                                             │
│ {"type":"response","@timestamp":"2025-03-11T16:42:45Z","tags":[],"pid":56,"method":"get","statusCode":401,"req":{"url":"/api/v1/auth/dashboardsinfo?dataSourceId=","method":"get","headers":{"host":"wazuh-dashboard.mycooldomain.com", │
│ "osd-version":"2.16.0","sec-ch-ua-platform":"\"macOS\"","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","sec-ch-ua":"\"Google Chrome\";v=\"13 │
│ 1\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"","content-type":"application/json","sec-ch-ua-mobile":"?0","osd-xsrf":"osd-fetch","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"em │
│ pty","referer":"https://wazuh-dashboard.mycooldomain.com/app/login?nextUrl=%2F","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9","priority":"u=1, i","x-cloud-trace-context":"c239468d3e976cf60eaf9b4e125 │
│ b2c42/9012852357084827290","via":"1.1 google","x-forwarded-for":"108.253.243.18, 34.50.255.100","x-forwarded-proto":"https","connection":"Keep-Alive"},"remoteAddress":"35.191.41.87","userAgent":"Mozilla/5.0 (Macintosh; Intel M │
│ ac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","referer":"https://wazuh-dashboard.mycooldomain.com/app/login?nextUrl=%2F"},"res":{"statusCode":401,"responseTime":2,"contentLength":9},"messag │
│ e":"GET /api/v1/auth/dashboardsinfo?dataSourceId= 401 2ms - 9.0B"}                                                                                                                                                                 │
│ {"type":"response","@timestamp":"2025-03-11T16:42:45Z","tags":[],"pid":56,"method":"get","statusCode":401,"req":{"url":"/elastic/security/current-platform","method":"get","headers":{"host":"wazuh-dashboard.mycooldomain.com","osd-ve │
│ rsion":"2.16.0","sec-ch-ua-platform":"\"macOS\"","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36","sec-ch-ua":"\"Google Chrome\";v=\"131\", \" │
│ Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\"","content-type":"application/json","sec-ch-ua-mobile":"?0","osd-xsrf":"osd-fetch","accept":"*/*","sec-fetch-site":"same-origin","sec-fetch-mode":"cors","sec-fetch-dest":"empty","r │
│ eferer":"https://wazuh-dashboard.mycooldomain.com/app/login?nextUrl=%2F","accept-encoding":"gzip, deflate, br, zstd","accept-language":"en-US,en;q=0.9","priority":"u=1, i","x-cloud-trace-context":"cc3c8996a5bdb4c50eaf9b4e125b2279/1 │
│ 364242804952545956","via":"1.1 google","x-forwarded-for":"108.253.243.18, 34.50.255.100","x-forwarded-proto":"https","connection":"Keep-Alive"},"remoteAddress":"35.191.41.93","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X │
│  10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome

I did configure my Google Workspace User to have Departments set to Wazuh_access and I updated roles_mapping,yml which is also mounted in the indexer-sts.yml file:

all_access:
  reserved: true
  hidden: false
  backend_roles:
  - "admin"
  - "Wazuh_access"

I'm not sure where to begin looking for the issue. Any ideas?