Merge pull request #7630 from wazuh/change/2871-update-SSO

Update SSO section

source/user-manual/user-administration/single-sign-on/administrator/google.rst

@@ -33,13 +33,12 @@ Google Configuration
 
       -  **Entity ID**: This will be used later as the ``idp.entity_id``
       -  Select **DOWNLOAD METADATA** and place the metadata file in the ``configuration`` directory of the Wazuh indexer. The path to the directory is ``/etc/wazuh-indexer/opensearch-security/``.
-      -  **Certificate**: Copy the blob of the certificate excluding the ``-----BEGIN CERTIFICATE-----`` and ``-----END CERTIFICATE-----`` lines. This will be our ``exchange_key`` in the Wazuh indexer configuration file.
 
       .. thumbnail:: /images/single-sign-on/google/02-take-note-of-the-parameters.png
          :title: Take note of the parameters
          :align: center
          :width: 80%
-   
+
    #. Select **CONTINUE** and configure the following:
 
       -  **ACS URL**: ``https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs``. Replace the Wazuh dashboard URL field with the appropriate URL or IP address.
@@ -111,18 +110,26 @@ Wazuh indexer configuration
 
 Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
 
+#. Generate a 64-character long random key using the following command.
+
+   .. code-block:: console
+
+      openssl rand -hex 32
+
+   The output will be used as the ``exchange_key`` in the ``/etc/wazuh-indexer/opensearch-security/config.yml`` file.
+
 #. Place the ``Google_Metadata.xml`` file within the ``/etc/wazuh-indexer/opensearch-security/`` directory. Set the file ownership to ``wazuh-indexer`` using the following command:
 
    .. code-block:: console
 
       # chown wazuh-indexer:wazuh-indexer /etc/wazuh-indexer/opensearch-security/Google_Metadata.xml
 
 #. Edit the ``/etc/wazuh-indexer/opensearch-security/config.yml`` file and change the following values:
-   
+
    - Set the ``order`` in ``basic_internal_auth_domain`` to ``0`` and the ``challenge`` flag to ``false``. 
 
    - Include a ``saml_auth_domain`` configuration under the ``authc`` section similar to the following:
-  
+
    .. code-block:: yaml
       :emphasize-lines: 7,10,22,23,25,26,27,28
 
@@ -153,11 +160,10 @@ Edit the Wazuh indexer security configuration files. We recommend that you back
                     entity_id: wazuh-saml
                   kibana_url: https://<WAZUH_DASHBOARD_URL>
                   roles_key: Roles
-                  exchange_key: 'MIICajCCAdOgAwIBAgIBAD.........'
+                  exchange_key: 'b1d6dd32753374557dcf92e241.......'
               authentication_backend:
                 type: noop
 
-
    Ensure to change the following parameters to their corresponding value:
 
    - ``idp.metadata_file``

source/user-manual/user-administration/single-sign-on/administrator/index.rst

@@ -21,8 +21,8 @@ The following parameters are required to make the configurations on the Wazuh da
 -  ``sp.entity_id``: Entity ID of the Service Provider. This is a unique value assigned to a Service Provider.
 -  ``kibana_url``: URL to access the Wazuh dashboard.
 -  ``roles_key``: The attribute in the SAML assertion where the roles/groups are sent.
--  ``exchange_key``: The key that will be used to sign the assertions. It must have at least 32 characters.
-  
+-  ``exchange_key``: The key that will be used to sign the assertions. It must have at least 64 characters.
+
 .. note::
 
    -  The group and role names used in this guide can be changed. They do not necessarily have to be the ones we used.

source/user-manual/user-administration/single-sign-on/administrator/jumpcloud.rst

@@ -130,20 +130,25 @@ Jumpcloud Configuration
 
 #. Note the necessary parameters from the SAML settings of the new app.
 
-   #. Open the recently created application, go to the **SSO** tab and select **Export Metadata**. This will be our ``metadata_file``. Place the metadata file in the configuration directory of the Wazuh indexer. The path to the directory is ``/etc/wazuh-indexer/opensearch-security/``.
-
-   #. Extract the ``exchange_key`` from the ``metadata_file`` under the ``ds:X509Certificate`` tag.
-
-      .. thumbnail:: /images/single-sign-on/jumpcloud/15-go-to-the-sso-tab.png
-          :title: Go to the SSO tab and select Export Metadata
-          :align: center
-          :width: 80% 
+   Open the recently created application and go to the **SSO** tab, select **Export Metadata**. This will be our ``metadata_file``. Place the metadata file in the configuration directory of the Wazuh indexer. The path to the directory is ``/etc/wazuh-indexer/opensearch-security/``.
 
+   .. thumbnail:: /images/single-sign-on/jumpcloud/15-go-to-the-sso-tab.png
+       :title: Go to the SSO tab and select Export Metadata
+       :align: center
+       :width: 80%
 
 Wazuh indexer configuration
 ---------------------------
 
-Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration. 
+Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
+
+#. Generate a 64-character long random key using the following command.
+
+   .. code-block:: console
+
+      openssl rand -hex 32
+
+   The output will be used as the ``exchange_key`` in the ``/etc/wazuh-indexer/opensearch-security/config.yml`` file.
 
 #. Place the ``metadata_jumpcloud.xml`` file within the ``/etc/wazuh-indexer/opensearch-security/`` directory. Set the file ownership to ``wazuh-indexer`` using the following command:
 
@@ -153,7 +158,7 @@ Edit the Wazuh indexer security configuration files. We recommend that you back
 
 #. Edit the ``/etc/wazuh-indexer/opensearch-security/config.yml`` file and change the following values:
 
-   - Set the ``order`` in ``basic_internal_auth_domain`` to ``0`` and the ``challenge`` flag to ``false``. 
+   - Set the ``order`` in ``basic_internal_auth_domain`` to ``0`` and the ``challenge`` flag to ``false``.
 
    - Include a ``saml_auth_domain`` configuration under the ``authc`` section similar to the following:
 
@@ -188,12 +193,10 @@ Edit the Wazuh indexer security configuration files. We recommend that you back
                     forceAuthn: true
                   kibana_url: https://<WAZUH_DASHBOARD_URL>
                   roles_key: Roles
-                  exchange_key: 'MIIBkTCB+wIBADBSMQs......'
+                  exchange_key: 'b1d6dd32753374557dcf92e241.......'
               authentication_backend:
                 type: noop
 
-
-
    Ensure to change the following parameters to their corresponding value:
 
       - ``idp.metadata_file``

source/user-manual/user-administration/single-sign-on/administrator/keycloak.rst

@@ -206,21 +206,27 @@ KeyCloak configuration
          :width: 80% 
 
    #. The downloaded files contain the ``idp.metadata.xml`` file and the ``sp.metadata.xml`` file.
-
-      - The ``idp.entityID`` parameter is in the ``idp.metadata.xml`` file.
-      - The ``exchange_key`` parameter is found in the ``ds:X509Certificate`` field in the ``idp.metadata.xml`` file.
+
+      -  The ``idp.entityID`` parameter is in the ``idp.metadata.xml`` file.
 
       .. thumbnail:: /images/single-sign-on/keycloak/19-the-exchange_key-parameter.png
          :title: The exchange_key parameter
          :align: center
-         :width: 80% 
-
+         :width: 80%
 
 Wazuh indexer configuration
 ---------------------------
 
 Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
 
+#. Generate a 64-character long random key using the following command.
+
+   .. code-block:: console
+
+      openssl rand -hex 32
+
+   The output will be used as the ``exchange_key`` in the ``/etc/wazuh-indexer/opensearch-security/config.yml`` file.
+
 #. Place the ``idp.metadata.xml`` and ``sp.metadata.xml`` files within the ``/etc/wazuh-indexer/opensearch-security/`` directory. Set the file ownership to wazuh-indexer using the following command:
 
    .. code-block:: console
@@ -264,7 +270,7 @@ Edit the Wazuh indexer security configuration files. We recommend that you back
                     metadata_file: /etc/wazuh-indexer/opensearch-security/sp.metadata.xml
                   kibana_url: https://<WAZUH_DASHBOARD_ADDRESS>
                   roles_key: Roles
-                  exchange_key: 'MIICajCCAdOgAwIBAgIBAD.........'
+                  exchange_key: 'b1d6dd32753374557dcf92e241.......'
               authentication_backend:
                 type: noop
       

source/user-manual/user-administration/single-sign-on/administrator/microsoft-entra-id.rst

@@ -134,25 +134,25 @@ Microsoft Entra ID Configuration
 
 #. Note the necessary parameters. In the **Enterprise applications** menu, select your application and then click on **Single sign-on**. Note some parameters that will be used in the Wazuh indexer configuration.
 
-   - In option 3 **SAML Certificate**, the **App Federation Metadata Url** will be the ``idp.metadata_url`` in the Wazuh indexer configuration file.
-
-   - Go to the metadata URL using your web browser. Copy the value of the ``<X509Certificate>`` field. It’s your ``exchange_key`` parameter:
-
-   .. thumbnail:: /images/single-sign-on/azure-active-directory/13-go-to-the-metadata-url.png
-      :title: Go to the metadata URL
-      :align: center
-      :width: 80%
-
-   - In option 4 **Set up <YOUR APPLICATION>**, the **Microsoft Entra ID Identifier** will be our ``idp.entity_id``.
+   -  In option 3 **SAML Certificate**, the **App Federation Metadata Url** will be the ``idp.metadata_url`` in the Wazuh indexer configuration file.
+   -  In option 4 **Set up <YOUR APPLICATION>**, the **Microsoft Entra ID Identifier** will be our ``idp.entity_id``.
 
 Wazuh indexer configuration
 ---------------------------
 
 Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
 
+#. Generate a 64-character long random key using the following command.
+
+   .. code-block:: console
+
+      openssl rand -hex 32
+
+   The output will be used as the ``exchange_key`` in the ``/etc/wazuh-indexer/opensearch-security/config.yml`` file.
+
 #. Edit the ``/etc/wazuh-indexer/opensearch-security/config.yml`` file and change the following values:
 
-   - Set the ``order`` in ``basic_internal_auth_domain`` to ``0`` and the ``challenge`` flag to ``false``. 
+   - Set the ``order`` in ``basic_internal_auth_domain`` to ``0`` and the ``challenge`` flag to ``false``.
 
    - Include a ``saml_auth_domain`` configuration under the ``authc`` section similar to the following:
 
@@ -186,14 +186,14 @@ Edit the Wazuh indexer security configuration files. We recommend that you back
                     entity_id: wazuh-saml
                   kibana_url: https://<WAZUH_DASHBOARD_URL>
                   roles_key: Roles
-                  exchange_key: 'MIIC8DCCAdigAwIBAgIQXzg.........'
+                  exchange_key: 'b1d6dd32753374557dcf92e241.......'
               authentication_backend:
                 type: noop
 
 
-   Ensure to change the following parameters to their corresponding value: 
+   Ensure to change the following parameters to their corresponding value:
 
-   - ``idp.metadata_url`` 
+   - ``idp.metadata_url``
    - ``idp.entity_id``
    - ``sp.entity_id``
    - ``kibana_url``

source/user-manual/user-administration/single-sign-on/administrator/okta.rst

@@ -150,9 +150,17 @@ Wazuh indexer configuration
 
 Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
 
-#. Edit the ``/etc/wazuh-indexer/opensearch-security/config.yml`` file and change the following values: 
-
-   - Set the ``order`` in ``basic_internal_auth_domain`` to ``0`` and the ``challenge`` flag to ``false``. 
+#. Generate a 64-character long random key using the following command.
+
+   .. code-block:: console
+
+      openssl rand -hex 32
+
+   The output will be used as the ``exchange_key`` in the ``/etc/wazuh-indexer/opensearch-security/config.yml`` file.
+
+#. Edit the ``/etc/wazuh-indexer/opensearch-security/config.yml`` file and change the following values:
+
+   - Set the ``order`` in ``basic_internal_auth_domain`` to ``0`` and the ``challenge`` flag to ``false``.
 
    - Include a ``saml_auth_domain`` configuration under the ``authc`` section similar to the following:
 
@@ -186,10 +194,10 @@ Edit the Wazuh indexer security configuration files. We recommend that you back
                     entity_id: wazuh-saml
                   kibana_url: https://<WAZUH_DASHBOARD_URL>
                   roles_key: Roles
-                  exchange_key: 'MIIDqjCCApKgAwIBAgIGAYJZY4p.........'
+                  exchange_key: 'b1d6dd32753374557dcf92e241.........'
               authentication_backend:
-                type: noop               
-         
+                type: noop
+
    Ensure to change the following parameters to their corresponding value:
 
       - ``idp.metadata_url``  

source/user-manual/user-administration/single-sign-on/administrator/onelogin.rst

@@ -102,7 +102,7 @@ OneLogin Configuration
          :align: center
          :width: 80%    
 
-#. Get the ``metadata_onelogin.xml`` file and ``X.509 certificate`` from the application.
+#. Get the ``metadata_onelogin.xml`` file from the application.
 
    #. Go to **Applications** >  **Applications** then select the **Wazuh** app. Click on **More Actions** and then select **SAML Metadata**.
 
@@ -128,20 +128,21 @@ OneLogin Configuration
          :width: 80%
 
 
-   #. The ``roles_key`` is the name of the parameter added in the **Wazuh** app. In our example, this is ``Roles``. 
-
-   #. Finally, to obtain the ``exchange_key``, go to the **SSO** tab of the **Wazuh** app and select **View Details** in **X.509 Certificate**. Copy the blob of the certificate excluding the ``-----BEGIN CERTIFICATE-----`` and ``-----END CERTIFICATE-----`` lines:
-
-      .. thumbnail:: /images/single-sign-on/onelogin/13-go-to-the-sso-tab.png
-         :title: Go to the SSO tab of the Wazuh app and select View Details in X.509 Certificate
-         :align: center
-         :width: 80%
+   #. The ``roles_key`` is the name of the parameter added in the **Wazuh** app. In our example, this is ``Roles``.
 
 Wazuh indexer configuration
 ---------------------------
 
 Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
 
+#. Generate a 64-character long random key using the following command.
+
+   .. code-block:: console
+
+      openssl rand -hex 32
+
+   The output will be used as the ``exchange_key`` in the ``/etc/wazuh-indexer/opensearch-security/config.yml`` file.
+
 #. Place the ``metadata_onelogin.xml`` file within the ``/etc/wazuh-indexer/opensearch-security/`` directory. Set the file ownership to ``wazuh-indexer`` using the following command:
 
    .. code-block:: console
@@ -184,7 +185,7 @@ Edit the Wazuh indexer security configuration files. We recommend that you back
                     entity_id: wazuh-saml
                   kibana_url: https://<WAZUH_DASHBOARD_URL>
                   roles_key: Roles
-                  exchange_key: 'MIIBkjCB/AIBADBTMQswCQ......'
+                  exchange_key: 'b1d6dd32753374557dcf92e241.......'
               authentication_backend:
                 type: noop
       ...

source/user-manual/user-administration/single-sign-on/administrator/pingone.rst

@@ -94,12 +94,11 @@ PingOne Configuration
           :title: Navigate to Connections
           :align: center
           :width: 80%
-    
-   #. Take note of the following parameters from the configuration page of the application. This information will be used in the next step. 
+
+   #. Take note of the following parameters from the configuration page of the application. This information will be used in the next step.
 
       - **ISSUER ID**: It'll be in the form \https://auth.pingone.com/...
       - **IDP METADATA URL**: It’ll be in the form \https://auth.pingone.com/...
-      - ``exchange_key``: If you open the **IDP METADATA URL** you'll find the X509 Certificate  section, this will be used as the ``exchange_key``.
 
       .. thumbnail:: /images/single-sign-on/pingone/09-take-note-of-parameters.png
           :title: Take note of parameters from the configuration page
@@ -112,6 +111,14 @@ Wazuh indexer configuration
 
 Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
 
+#. Generate a 64-character long random key using the following command.
+
+   .. code-block:: console
+
+      openssl rand -hex 32
+
+   The output will be used as the ``exchange_key`` in the ``/etc/wazuh-indexer/opensearch-security/config.yml`` file. 
+
 #. Place the private key file within the ``/etc/wazuh-indexer/opensearch-security/`` directory. Set the file ownership to ``wazuh-indexer`` using the following command:
 
    .. code-block:: console
@@ -156,7 +163,7 @@ Edit the Wazuh indexer security configuration files. We recommend that you back
                     forceAuthn: true
                   kibana_url: https://<WAZUH_DASHBOARD_URL>
                   roles_key: Roles
-                  exchange_key: 'MIIJ6DLSAAbAmAJHSgIWYia.........'
+                  exchange_key: 'b1d6dd32753374557dcf92e241.......'
               authentication_backend:
                 type: noop
 

source/user-manual/user-administration/single-sign-on/read-only/google.rst

@@ -33,13 +33,12 @@ Google Configuration
 
       -  **Entity ID**: This will be used later as the ``idp.entity_id``.
       -  Select **DOWNLOAD METADATA** and place the metadata file in the ``configuration`` directory of the Wazuh indexer. The path to the directory is ``/etc/wazuh-indexer/opensearch-security/``.
-      -  Certificate: Copy the blob of the certificate excluding the ``-----BEGIN CERTIFICATE-----`` and ``-----END CERTIFICATE-----`` lines. This will be our ``exchange_key`` in the Wazuh indexer configuration file.
 
       .. thumbnail:: /images/single-sign-on/google/02-take-note-of-the-parameters.png
          :title: Take note of the parameters
          :align: center
          :width: 80%
-   
+
    #. Select **CONTINUE** and configure the following:
 
       -  **ACS URL**: ``https://<WAZUH_DASHBOARD_URL>/_opendistro/_security/saml/acs``. Replace the Wazuh dashboard URL field with the appropriate URL or IP address.
@@ -111,6 +110,14 @@ Wazuh indexer configuration
 
 Edit the Wazuh indexer security configuration files. We recommend that you back up these files before you carry out the configuration.
 
+#. Generate a 64-character long random key using the following command.
+
+   .. code-block:: console
+
+      openssl rand -hex 32
+
+   The output will be used as the ``exchange_key`` in the ``/etc/wazuh-indexer/opensearch-security/config.yml`` file. 
+
 #. Place the ``Google_Metadata.xml`` file within the ``/etc/wazuh-indexer/opensearch-security/`` directory. Set the file ownership to ``wazuh-indexer`` using the following command:
 
    .. code-block:: console
@@ -153,7 +160,7 @@ Edit the Wazuh indexer security configuration files. We recommend that you back
                     entity_id: wazuh-saml
                   kibana_url: https://<WAZUH_DASHBOARD_URL>
                   roles_key: Roles
-                  exchange_key: 'MIICajCCAdOgAwIBAgIBAD.........'
+                  exchange_key: 'b1d6dd32753374557dcf92e241.......'
               authentication_backend:
                 type: noop
 

source/user-manual/user-administration/single-sign-on/read-only/index.rst

@@ -21,8 +21,8 @@ The following parameters are required to make the configurations on the Wazuh da
 -  ``sp.entity_id``: Entity ID of the Service Provider. This is a unique value assigned to a Service Provider.
 -  ``kibana_url``: URL to access the Wazuh dashboard.
 -  ``roles_key``: The attribute in the SAML assertion where the roles/groups are sent.
--  ``exchange_key``: The key that will be used to sign the assertions. It must have at least 32 characters.
-  
+-  ``exchange_key``: The key that will be used to sign the assertions. It must have at least 64 characters.
+
 .. note::
 
    -  The group and role names used in this guide can be changed. They do not necessarily have to be the ones we used.