Wazuh is becoming preferred SIEM solution of many organisations and teams. Its loaded with feature to empower security teams to have an in depth picture of their network and assets. In this post we are setting up SSO using Google Workspace on the Docker deployment of Wazuh.

Prerequisites

Please make sure that you have the following steps already completed before starting on SSO with Google Workspace.

  1. Get the docker installed by following the Wazuh Docker installation guide (https://documentation.wazuh.com/current/deployment-options/docker/docker-installation.html)
  2. Get the single node Wazuh docker deployment up and running by following the Wazuh docker deployment guide. We will be using the Single Node deployment in this blog post. https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html#single-node-deployment
  3. Better to have a valid SSL certificate on your Wazuh deployment. Otherwise you might get some unexpected errors. We used a valid Lets Encrypt certificate in this blog post. 
  4. Make sure Wazuh is working properly and you are able to login via default “admin” user by using the password.

In order to get SSO working we need to configure Google Workspace, Wazuh Indexer, Wazuh Dashboard etc. Following is step by step guide for the required configurations.

Google Configuration

  1. Login to your Google Admin Account and go to https://admin.google.com/ac/apps/unified.
  2. Create an SAML app
    1. Go to Apps > Website and mobile apps > Add App, then Add custom SAML app. Enter an App name and click CONTINUE. We are using “Wazuh Demo SSO” as the name of the app.

      Note that the description and icon are optional so can be skipped.
    2. Take note of the parameters mentioned below, as they will be used during the Wazuh indexer configuration
      • Entity ID: This will be used later as the idp.entity_id
      • Select DOWNLOAD METADATA and place the metadata file in the configuration directory of the Wazuh indexer.
    3. Select CONTINUE and configure the following:
      • ACS URL: https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs. Replace the Wazuh dashboard URL field with the appropriate URL or IP address.
      • Entity ID: Use any name here. This will be the sp.entity_id in the Wazuh indexer configuration file. In our case, the value is wazuh-saml.
      • Certificate: Copy the blob of the certificate excluding the —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– lines. This will be our exchange_key in the Wazuh indexer configuration file.
      • Make sure to select the checkbox “Signed Response”, otherwise you might get unexpected errors.
    4. Leave the remaining parameters with their default values, then select CONTINUE.
    5. Click on ADD MAPPING, under Employee details, choose Department, under App attributes, type Roles, and select FINISH.
  3. Turn ON the access to this app for everyone.

Select the recently created app and click on User access. Select ON for everyone and click SAVE.

  1. Define the attribute for users for which you want to enable access to Wazuh.
    1. Go to Directory then Users.
    2. Select a user, go to User information, then edit Employee information.
    3. Add a value to the Department field, in this example, we add Wazuh_access, click on SAVE. This value will be used in the role_mapping file configuration.

Wazuh indexer configuration

  1. Go to the directory where the checkout of the git repo was created. It should contain a “single-node” folder.
  2. Edit the docker-compose.yml in the “single-node” folder. As mentioned earlier as well that we are using “single-node” deployment to all changes we gonna make will be in this folder.
  3. Copy the downloaded metadata file GoogleIDPMetadata.xml to config/wazuh_indexer/ folder
  4. Create a new file “config/wazuh_indexer/roles_mapping.yml”
  • Edit the docker-compose.yml file and add following lines. These will map the roles_mapping, security_config and metadata files to the wazuh.indexer container.
    • – ./config/wazuh_indexer/roles_mapping.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/roles_mapping.yml
    • – ./config/wazuh_indexer/security_config.yml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/config.yml
    • – ./config/GoogleIDPMetadata.xml:/usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/GoogleIDPMetadata.xml

 

  1. Edit the “config/wazuh_indexer/security_config.yml” and add the following section

    Note: Certificate and ids used in the image above are obfuscated. Use your actual values.

    It has following key values

    1. idp.metadata_file: This is your application metadata file which was downloaded in previous steps. Don’t change the path as it’s pointing to the path inside the container.
    2. idp.entity_id: This is the url we got from SAML app in Google Workspace
    3. sp.entiry_id: This value was defined in the SAML app.
    4. kibana_url: This must be changed as per required url.
    5. exchange_key: This contains the blob from the certificate associated with the SAML app created in Google Workspace. Make sure to align it properly. 
  2. Edit the same security_config file and update following value under basic_internal_auth_domain section
    1. Change “order” to 0
    2. Update “challenge” to false

  1. Edit the role mapping file and under the “all_access” section add “Wazuh_access”

The full content of this file can be extracted from the container its self. Run the container and login to is via bash and get content of the file.

Wazuh dashboard configuration

  1. Add following two lines in file config/wazuh_dashboard/opensearch_dashboards.yml
    opensearch_security.auth.type: “saml”
    server.xsrf.whitelist: [“/_plugins/_security/saml/acs”, “/_plugins/_security/saml/logout”, “/_opendistro/_security/saml/acs”, “/_opendistro/_security/saml/logout”]

Start Deployment 

  1. Once the above changes are complete start the containers via docker compose
  2. Run “docker compose up -d”
  3. Once the containers are up then we need to run the securityadmin.sh on the Wazuh indexer so the security changes can take effect
  4. Start a bash session on the container by using command
    • docker exec -it single-node-wazuh.indexer-1 /bin/bash
  5. Run the following 2 command one by one on the container
    • export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/config.yml -icl -key /usr/share/wazuh-indexer/config/certs/admin-key.pem -cert /usr/share/wazuh-indexer/config/certs/admin.pem -cacert /usr/share/wazuh-indexer/config/certs/root-ca.pem -h localhost -nhnv
    • export JAVA_HOME=/usr/share/wazuh-indexer/jdk/ && bash /usr/share/wazuh-indexer/plugins/opensearch-security/tools/securityadmin.sh -f /usr/share/wazuh-indexer/plugins/opensearch-security/securityconfig/roles_mapping.yml -icl -key /usr/share/wazuh-indexer/config/certs/admin-key.pem -cert /usr/share/wazuh-indexer/config/certs/admin.pem -cacert /usr/share/wazuh-indexer/config/certs/root-ca.pem -h localhost -nhnv
  6. The output of the above command should be successful. Otherwise there is something wrong so check for the errors.
  7. Once the command are run successfully exit from the container and use following docker commands to fully restart the deployment
    • docker compose -f ./docker-compose.yml down
    • docker compose -f ./docker-compose.yml up -d
  8. Once the containers are up and running again (it may take some time) try to browse the Wazuh dashboard in an incognito window.
  9.  If all is good it should redirect to Google account and once authenticated will get back to Wazuh dashboard.

Wazuh Role Mapping

At this step you should be able to login to Wazuh Dashboard via SSO. So make sure its working. Additionally you may need to create a role in Wazuh for admins login using SSO.

  • Go to Wazuh > Security > Role Mappings and create a new Role Mapping.
  • Name the mapping as per your needs.
  • In roles selection choose “administrator”
  • Empty the selection of “Map internal users”
  • Adjust the “Custom rules” setting to “Any are true”
  • Add the rules for all users you want to be mapped as Wazuh admin

Disable SSO

In case SSO did not work as expected follow the instructions below to disable it, so the normal auth starts working again.

  1. Edit the config/wazuh_dashabor/opensearch_dashboards.yml file.
  2. Comment out the line opensearch_security.auth.type and save it
  3. Bring down the containers via docker compose and then start again. Now you should be able to login using username and password.