Kibana - SAML w/ Azure AD

Hey all,

I have a weird issue trying to configure SAML with Azure AD. I’ve set up metadata_url and according to the logs it’s pulling it just fine. However I’m getting an error with the Base64Utility.Decode() function, which makes it seem like it’s not parsing the cert correctly from the metadata. I’ll post the metadata sample from Azure below. Is there any way to manually insert the cert content to the config? Or am I missing something… thanks!

$ is a placeholder, the URLs and roles are configured properly

SAML config:

saml_auth_domain:
    http_enabled: true
    order: 0
    http_authenticator:
      type: saml
      challenge: true
      config:
        idp:
          metadata_url: https://login.microsoftonline.com/$
          entity_id: https://sts.windows.net/$
        sp:
          entity_id: kibana-saml
        roles_key: $
        kibana_url: https://kibana.$.com
        exchange_key: JZtoofdsatgreastgresg.........
    authentication_backend:
      type: noop

Metadata:
https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml

Error when trying to push config:

    [2019-08-12T23:45:15,227][INFO ][o.o.s.m.r.i.AbstractReloadingMetadataResolver] [server] Metadata Resolver SamlHTTPMetadataResolver com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator_17: New metadata successfully loaded for 'https://login.microsoftonline.com/$/federationmetadata/2007-06/federationmetadata.xml?appid=$'
[2019-08-12T23:45:15,227][INFO ][o.o.s.m.r.i.AbstractReloadingMetadataResolver] [server] Metadata Resolver SamlHTTPMetadataResolver com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator_17: Next refresh cycle for metadata provider 'https://login.microsoftonline.com/$/federationmetadata/2007-06/federationmetadata.xml?appid=$' will occur on '2019-08-13T06:45:15.077Z' ('2019-08-13T02:45:15.077-04:00' local time)
[2019-08-12T23:45:15,228][ERROR][c.a.d.a.h.s.HTTPSamlAuthenticator] [server] Error creating HTTPSamlAuthenticator: java.lang.SecurityException: org.apache.cxf.common.util.Base64Exception: Runtime exception in Base64Utility.decode() during output. SAML authentication will not work
java.lang.SecurityException: org.apache.cxf.common.util.Base64Exception: Runtime exception in Base64Utility.decode() during output
        at org.apache.cxf.rt.security.crypto.CryptoUtils.decodeSequence(CryptoUtils.java:664) ~[cxf-rt-security-3.2.2.jar:3.2.2]
        at org.apache.cxf.rs.security.jose.common.JoseUtils.decode(JoseUtils.java:117) ~[cxf-rt-rs-security-jose-3.2.2.jar:3.2.2]
        at org.apache.cxf.rs.security.jose.jws.JwsUtils.getSignatureProvider(JwsUtils.java:103) ~[cxf-rt-rs-security-jose-3.2.2.jar:3.2.2]
        at org.apache.cxf.rs.security.jose.jws.JwsUtils.getSignatureProvider(JwsUtils.java:91) ~[cxf-rt-rs-security-jose-3.2.2.jar:3.2.2]
        at com.amazon.dlic.auth.http.saml.AuthTokenProcessorHandler.<init>(AuthTokenProcessorHandler.java:120) ~[opendistro_security_advanced_modules-1.1.0.0.jar:1.1.0.0]
        at com.amazon.dlic.auth.http.saml.HTTPSamlAuthenticator.<init>(HTTPSamlAuthenticator.java:118) [opendistro_security_advanced_modules-1.1.0.0.jar:1.1.0.0]
        at jdk.internal.reflect.GeneratedConstructorAccessor85.newInstance(Unknown Source) ~[?:?]
        at jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:?]
        at java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:500) ~[?:?]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:481) ~[?:?]
        at com.amazon.opendistroforelasticsearch.security.support.ReflectionHelper.instantiateAAA(ReflectionHelper.java:259) [opendistro_security-1.1.0.0.jar:1.1.0.0]
        at com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigModelV7.newInstance(DynamicConfigModelV7.java:334) [opendistro_security-1.1.0.0.jar:1.1.0.0]
        at com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigModelV7.buildAAA(DynamicConfigModelV7.java:251) [opendistro_security-1.1.0.0.jar:1.1.0.0]
        at com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigModelV7.<init>(DynamicConfigModelV7.java:60) [opendistro_security-1.1.0.0.jar:1.1.0.0]
        at com.amazon.opendistroforelasticsearch.security.securityconf.DynamicConfigFactory.onChange(DynamicConfigFactory.java:165) [opendistro_security-1.1.0.0.jar:1.1.0.0]
        at com.amazon.opendistroforelasticsearch.security.configuration.ConfigurationRepository.notifyAboutChanges(ConfigurationRepository.java:308) [opendistro_security-1.1.0.0.jar:1.1.0.0]
        at com.amazon.opendistroforelasticsearch.security.configuration.ConfigurationRepository.reloadConfiguration0(ConfigurationRepository.java:297) [opendistro_security-1.1.0.0.jar:1.1.0.0]
        at com.amazon.opendistroforelasticsearch.security.configuration.ConfigurationRepository.reloadConfiguration(ConfigurationRepository.java:280) [opendistro_security-1.1.0.0.jar:1.1.0.0]
        at com.amazon.opendistroforelasticsearch.security.action.configupdate.TransportConfigUpdateAction.nodeOperation(TransportConfigUpdateAction.java:126) [opendistro_security-1.1.0.0.jar:1.1.0.0]
        at com.amazon.opendistroforelasticsearch.security.action.configupdate.TransportConfigUpdateAction.nodeOperation(TransportConfigUpdateAction.java:58) [opendistro_security-1.1.0.0.jar:1.1.0.0]
        at org.elasticsearch.action.support.nodes.TransportNodesAction.nodeOperation(TransportNodesAction.java:129) [elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.action.support.nodes.TransportNodesAction$NodeTransportHandler.messageReceived(TransportNodesAction.java:246) [elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.action.support.nodes.TransportNodesAction$NodeTransportHandler.messageReceived(TransportNodesAction.java:242) [elasticsearch-7.1.1.jar:7.1.1]
        at com.amazon.opendistro.elasticsearch.performanceanalyzer.transport.PerformanceAnalyzerTransportRequestHandler.messageReceived(PerformanceAnalyzerTransportRequestHandler.java:43) [opendistro_performance_analyzer-1.1.0.0.jar:1.1.0.0]
        at com.amazon.opendistroforelasticsearch.security.ssl.transport.OpenDistroSecuritySSLRequestHandler.messageReceivedDecorate(OpenDistroSecuritySSLRequestHandler.java:164) [opendistro_security-1.1.0.0.jar:1.1.0.0]
        at com.amazon.opendistroforelasticsearch.security.transport.OpenDistroSecurityRequestHandler.messageReceivedDecorate(OpenDistroSecurityRequestHandler.java:163) [opendistro_security-1.1.0.0.jar:1.1.0.0]
        at com.amazon.opendistroforelasticsearch.security.ssl.transport.OpenDistroSecuritySSLRequestHandler.messageReceived(OpenDistroSecuritySSLRequestHandler.java:86) [opendistro_security-1.1.0.0.jar:1.1.0.0]
        at com.amazon.opendistroforelasticsearch.security.OpenDistroSecurityPlugin$7$1.messageReceived(OpenDistroSecurityPlugin.java:623) [opendistro_security-1.1.0.0.jar:1.1.0.0]
        at org.elasticsearch.transport.RequestHandlerRegistry.processMessageReceived(RequestHandlerRegistry.java:63) [elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.transport.TransportService$7.doRun(TransportService.java:693) [elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.common.util.concurrent.ThreadContext$ContextPreservingAbstractRunnable.doRun(ThreadContext.java:751) [elasticsearch-7.1.1.jar:7.1.1]
        at org.elasticsearch.common.util.concurrent.AbstractRunnable.run(AbstractRunnable.java:37) [elasticsearch-7.1.1.jar:7.1.1]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
        at java.lang.Thread.run(Thread.java:835) [?:?]
Caused by: org.apache.cxf.common.util.Base64Exception: Runtime exception in Base64Utility.decode() during output
        at org.apache.cxf.common.util.Base64Utility.decode(Base64Utility.java:202) ~[cxf-core-3.2.2.jar:3.2.2]
        at org.apache.cxf.common.util.Base64UrlUtility.decode(Base64UrlUtility.java:41) ~[cxf-core-3.2.2.jar:3.2.2]
        at org.apache.cxf.rt.security.crypto.CryptoUtils.decodeSequence(CryptoUtils.java:662) ~[cxf-rt-security-3.2.2.jar:3.2.2]
        ... 34 more

Any help would really be appreciated. Let me know if you need more information.

1 Like

Hi
The issue can come from the size of your key, you should check if your exchange_key is at least 32 characters and an even number (can be 32, 34, 36 …)

1 Like

A year and a half later…

Yes this was the fix for the issue. I had randomly generated a 33 character string by mistake, which caused this error. Taking off one character fixed the issue.