Hi,
I am trying and failing to setup an okta/saml connection to opendistro. We are using 1.13.2 and have a single instance cluster running in AWS. I have followed the instructions for setting it up from SAML - Open Distro Documentation, here is the kibana setup;
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.enable_global: true
opendistro_security.multitenancy.tenants.enable_private: false
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.multitenancy.enable_filter: false
elasticsearch.username: username
elasticsearch.password: password
server.host: "0.0.0.0"
server.port: "5601"
opendistro_security.auth.type: "saml"
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]
OD Okta config;
order: 1
description: "OKTA saml connection."
http_enabled: true
transport_enabled: false
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: metadata.xml
entity_id: https://www.okta.com/{org.externalKey}
sp:
entity_id: TEST
forceAuthn: true
kibana_url: http://cdlaudit-kibana.dev.blah:5601
#kibana_url: http://localhost:5601
subject_key: UserID
roles_key: Role
exchange_key: 32_character_key
authentication_backend:
type: noop
Okta config;
GENERAL
Single Sign On URL http://cdlaudit-kibana.dev.blah:5601/_opendistro/_security/saml/acs/idpinitiated
Recipient URL http://cdlaudit-kibana.dev.blah:5601/_opendistro/_security/saml/acs/idpinitiated
Destination URL http://cdlaudit-kibana.dev.blah:5601/_opendistro/_security/saml/acs/idpinitiated
Audience Restriction Test
Default Relay
StateName ID Format Unspecified
Response Signed
Assertion Signature Signed
Signature AlgorithmRSA_SHA256
Digest AlgorithmSHA256
Assertion Encryption Unencrypted
SAML Single Logout Disabled
authnContextClassRef PasswordProtectedTransport
Honor Force Authentication Yes
Assertion Inline Hook None (disabled)
SAML Issuer ID http://www.okta.com/${org.externalKey}
ATTRIBUTE STATEMENTS
Name Name Format Value
UserID Unspecified user.login
GROUP ATTRIBUTE STATEMENTS
Name Name FormatFilter
Role Unspecified Matches regex: .*
This just returns a 500 when we try to launch from Okta.
In the kibana logs we see this error;
Jul 05 08:17:44 ip-99-999-999-999.eu-west-1.compute.internal kibana[4315]: {"type":"error","@timestamp":"2021-07-05T08:17:44Z","tags":[],"pid":4315,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n at HapiResponseAdapter.toError (/usr/share/kibana/src/core/server/http/router/response_adapter.js:132:19)\n at HapiResponseAdapter.toHapiResponse (/usr/share/kibana/src/core/server/http/router/response_adapter.js:86:19)\n at HapiResponseAdapter.handle (/usr/share/kibana/src/core/server/http/router/response_adapter.js:81:17)\n at Router.handle (/usr/share/kibana/src/core/server/http/router/router.js:164:34)\n at process._tickCallback (internal/process/next_tick.js:68:7)"},"url":{"protocol":null,"slashes":null,"auth":null,"host":null,"port":null,"hostname":null,"hash":null,"search":null,"query":{},"pathname":"/_opendistro/_security/saml/acs/idpinitiated","path":"/_opendistro/_security/saml/acs/idpinitiated","href":"/_opendistro/_security/saml/acs/idpinitiated"},"message":"Internal Server Error"}
I have created a role and a role mapping for a role the user is a member of. Is there something else I am missing? Can anybody point me in the right direction.
I have tested the docker test version from OD and noticed that on this I get a RequestId in the Request body where on my system I don’t. I don’t know what creates it or if it is relevant but mentioning it for awareness.
Thanks,
Tony.