Use Curl command to access ElasticCloud-Kibana API secured by Azure AD

Question

After I have integrated ElasticCloud with Azure AD for single sign-on, I am not able to use Curl command with AD authentication, here is what I am trying:

 curl -X PUT -u myuser:mypassword "elasticcloudhost:port/myindex" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"settings" : {"number_of_shards" : 1,"number_of_replicas" : 1}}'

The error message is:

{"statusCode":404,"error":"Not Found","message":"Not Found"}

I am able to connect with my Azure user and password to kibana using Browser which first it would be redirected to microsoft-login page and then goes to Kibana page, however it is not working with Curl command.

Here is the method that I used for integration:

https://www.elastic.co/blog/saml-based-single-sign-on-with-elasticsearch-and-azure-active-directory

Does anyone know how to make this to work? Any help would be appreciated.

Updated:

Here I have tried to get access-token from Azure AD application and then use it in Curl command to get an Index:

#!/bin/bash

host="myApplicationIDURI"
project="test"

token=$(curl -X POST -d "grant_type=client_credentials&client_id=myclientID&client_secret=myclientsecret&resource=myApplicationIDURI" https://login.microsoftonline.com/mytenantID/oauth2/token | awk -F',' '/access_token/ {print $7}' | cut -d ":" -f2 | cut -d'"' -f 2)

echo $token

curl -X GET "$myApplicationIDURI/$project" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -H "Authorization: Bearer $token"

Result:

 {
"statusCode": 401,
"error": "Unauthorized",
"message": "[security_exception] missing authentication credentials for REST request [/_security/_authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"

}

I have added this approle under my application's manifest:

   {
        "allowedMemberTypes": [
            "Application"
        ],
        "description": "Access webapp as an application.",
        "displayName": "access_as_application",
        "id": "b963********",
        "isEnabled": true,
        "lang": null,
        "origin": "Application",
        "value": "access_as_application"
    },

And also API Permission:

Here is my kibana.yml

xpack.security.authc.providers: ["saml", "basic"]
server.xsrf.whitelist: ["/api/security/v1/saml"]
xpack.security.authc.saml.realm: azuread-saml

and elasticsearch.yml:

xpack:
  security:
    authc:
      realms:
        saml:
          azuread-saml:
            order: 2
            attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
            attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/rolename"
            idp.metadata.path: "https://login.microsoftonline.com/mytenantID/federationmetadata/2007-06/federationmetadata.xml?appid=myapiID"
            idp.entity_id: "https://sts.windows.net/mytenantID/"
            sp.entity_id: "myAppURI"
            sp.acs: "myappURI/api/security/v1/saml"
            sp.logout: "myAppURI/logout"

The erro that I see in the logs is: "built in token service unable to decode token"

Answer 1

I don't think this curl cmd will work because I didn't see you get an access token to do the operation.

curl -X PUT -u myuser:mypassword "elasticcloudhost:port/myindex" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"settings" : {"number_of_shards" : 1,"number_of_replicas" : 1}}'

For the second question, the error occurs because your enterprise app has been set User assignment required? to Yes. See reference here.

What you need to do is to assign the client app to any app roles for the API app. Please refer to the screenshots as below. (note that 'testGraph' is the client app and 'testG006' is the API app) BTW, in your case, 'myclientID' is the client app and 'myapplicationIDurl' is the API app.

This step will assign the client app an app role "Consumer" for the API app. Then you can get the access token with no problem.