> wazuh is an open source Security Information and Event Management System that also has (extended) Endpoint Detection & Response (XDR) capabilities, as well as components of a Network Intrusion & Detection System (NIDS).
>
> -- https://wazuh.com
:::note
We assume that you already have wazuh and authentik installed/setup and now want to integrate authentik as your IDP solution to have SSO within wazuh.
:::
## Preparation
The following placeholders will be used:
-`wazuh.company` is the FQDN of the wazuh server instance.
-`authentik.company` is the FQDN of the authentik install.
While wazuh allows both LDAP and SAML integration, in this post we will only walk through the SAML integration.
Now add a SAML provider - you can find the options under `Applications` -> `Providers`
Select SAML Provider and click Next
Add a descriptive name, select the appropriate Authentication/Authorization flow, adjust the ACS URL to contain the IP/hostname of your wazuh installation and add `/_opendistro/_security/saml/acs` to the end.
also make sure to give it an appropriate `EntityID` name (`issuer`), you will need that later and a valid option is e.g. `wazuh-saml`
Select `Post` as the `Service Provider Binding` and move on to the advanced protocol settings.
The last step is to select the previously created `Signing Certificate` from the dropdown list and leave the rest of the configurations as default for now.
Now download the metadata file `saml_authentik_meta.xml` from the `Applications` -> `Provider` -> `Related Objects` -> `Download`
and copy/save it on the wazuh server - ideally under `/etc/wazuh-indexer/opensearch-security/idp-metadata.xml`
Next up change the `/etc/wazuh-indexer/opensearch-security/config.yml` and make sure it looks like the one below
- you need to adjust the `metadata_file` if your name differs from the one shown above/below
-`entity_id` needs to change twice, once in the `idp` section and once in the `sp` section - you can look it up in the metadata xml file - search for `entityID`
- adapt the `kibana_url` to match your wazuh dashboard url - e.g. `https://wazuh.myhomelab.com/`
- copy/paste the `exchange_key`, you can get it from the metadata file (find the key between the `<ds:X509Certificate></ds:X509Certificate>` tags, it usually starts with MII...) - DO NOT FORGET TO PUT QUOTES AROUND THE CERTIFICATE
- make sure to adjust the ownership and access rights via the following commands:
After you save the `config.yml` you need to restart the wazuh manager and tell it to load the modified file - this can be done automagically using the `securityadmin.sh` wazuh provides with the following command:
If all goes well this shows `Done with success` in the end
### Step 7 - roles_mapping.yml
In order to map the backend roles from authentik to wazuh specific roles you need to adjust the `/etc/wazuh-indexer/opensearch-security/roles_mapping.yml`
Open the file and scroll to the following section:
under `backend_roles` add `wazuh-admin` and check that reserved is `false` + the rest looks like below:
```yml
all_access:
reserved: false
hidden: false
backend_roles:
- "wazuh-admin"
- "admin"
hosts: []
users: []
and_backend_roles: []
description: "Maps admin to all_access"
```
save the file and use the securityadmin.sh with the following command to load the adjusted `roles_mapping.yml`:
If all goes well this shows `Done with success` in the end
### Step 8 - wazuh.yml
Check `/usr/share/wazuh-dashboard/data/wazuh/config/wazuh.yml` and make sure that `run_as` is set to `false`.
### Step 9 - security role mapping
open the wazuh dashboard - click on the downward pointing triangle next to the wazuh logo then on `Security` and `Roles mapping`.
We will now add a new role mapping - add any name + the respective Roles -> in this case administrator and add a new custom rule at the bottom that matches (`FIND`) the `user_name` to `wazuh-admin`.
### Step 10 - final step - opensearch_dashboards.yml
The last step is to adapt the `/etc/wazuh-dashboard/opensearch_dashboards.yml` and add three lines to the bottom of the file:
