I am trying to use SAML as auth domain for opendistro 1.1.0 on ELK 7.1.1. I have followed the procedure as mentioned on opendistro website and i think i am very close to make it working. There is still error i am getting when i try to login to kibana using SAML SSO.
I have enabled debug logs for saml so i can see the handshake with the responses in the logs. I see that it is able to identify me and return roles=[All AD groups i am part of] but then i get final SAML response status as
StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Responder”
and then i see it retries 6 times before giving up. Everytime i see JWT token which then gets decoded to something in this format: {“nbf”:1566330778,“exp”:1566334378,“sub”:“domain\myntid”,“saml_nif”:“u”,“saml_si”:“_7cfe7e99…6b8e1e6d678f”,“roles”:[“grp1”,“grp2”…“grpn”]}
For security reasons i have replaced real values of AD groups, my ntid and domain.
Can anyone suggest a solution here or what i may be doing wrong? My security config is as shown below:
meta:
type: “config”
config_version: 2
config:
dynamic:
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
saml_auth_domain:
description: “SAML Authentication”
http_enabled: true
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_url: ‘https://xxxxxxxx.domain.com/FederationMetadata/2007-06/FederationMetadata.xml’
entity_id: http://xxxxxxxx.domain.com/adfs/services/trust
enable_ssl: false
sp:
entity_id: kibana-saml
forceAuthn: true
kibana_url:
roles_key: ‘Roles’
exchange_key: ‘ahlh1231423fjsgha…SNSJGHNSKHSsaadfdsfsgs’
authentication_backend:
type: noop
authz:
Everything disabled here.....