SAML Authentication Not Working

aceat64 · April 24, 2019, 11:42pm

I’m having trouble with getting SAML working in Kibana, not matter what I try I always get redirected to /customerror?type=samlConfigError#?_g=() where it shows this error:

SAML configuration error

Something went wrong while retrieving the SAML configuration, please check your settings.

There’s nothing obviously SAML related showing up in the log files either. Is there a way to enable debug logging for the SAML authentication so I can troubleshoot this issue?

aceat64 · April 26, 2019, 6:23pm

I eventually figured out this particular issue. It was caused by basic_internal_auth_domain being set to a lower order than saml_auth_domain. Still, it would be useful to have some kind of log output that explains what is going wrong.

nihal · April 26, 2019, 10:18pm

Hi

You can set these in log4j2.properties

logger.token.name = com.amazon.dlic.auth.http.saml.Token
logger.token.level = debug

This will print out the SAML response in the Elasticsearch log file so you can inspect and debug it.

Another way of inspecting the SAML Response is to montitor the network traffic while logging in to Kibana. The IdP will HTTP POST the base64-encoded SAML Response to:

/_opendistro/_security/saml/acs

Inspect the payload of this POST request and use a tool like https://www.base64decode.org/ to decode it.

aceat64 · April 27, 2019, 3:01am

It never even got to the point of attempting SAML, it failed before that part.

nihal · May 1, 2019, 11:19pm

Debug logging for SAML config errors are currently limited.
We can probably improve its verbosity in the future.

ebeahan · May 31, 2019, 4:19pm

Ran into the same issue here. Fixing the ordering resolved my problem.

chrandal · September 2, 2019, 1:56am

Just to be clear, the correct ordering is with basic_internal_auth_domain at zero, and saml_auth_domain at one (or similar)?

sthomps · October 2, 2019, 12:40am

Logging security configuration issues definitely needs to be addressed. It’s extremely frustrating to have zero indications as to why the cluster is not initializing correctly.

I’ve created an issue here.

As an aside, I really hope support in terms of communication on these forums and issue handling on Github improves significantly.

koyassan · November 25, 2019, 6:18pm

Hi Guys,

I can’t make my SAML Authentication works. Kibana allways redirect me to …/customerror?type=samlAuthError#?_g=().
This is my config.yml file:

...
    authc:
      basic_internal_auth_domain:
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      saml_auth_domain:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: https://login.microsoftonline.com/id/federationmetadata/2007-06/federationmetadata.xml?appid=anotherID
              entity_id: https://sts.windows.net/id/
            sp:
              entity_id: myEntityID
            kibana_url: https://<kibana_url>:<kibana_port>
            exchange_key: eijdaiefjoqeifjq30f93j109qwj130dq23
            roles_key: http://schemas.microsoft.com/identity/claims/tenantid
        authentication_backend:
          type: noop
...

Topic		Replies	Views
SAML integration error, type=samlConfigError Security	4	940	May 4, 2021
SAML configuration problems Security	2	1841	August 23, 2019
SAML Authentication not working for Kibana Security	6	3210	May 14, 2021
Debugging SAML with Open Distro Security	2	1035	April 19, 2021
Unable to perform SAML Security	3	1746	February 27, 2020

SAML Authentication Not Working

Related topics