SAML configuration problems

diabllos · May 8, 2019, 3:31pm

Hi,
I’ve spent almost a day trying to configure SAML with no luck… I always end with:

SAML configuration error
Something went wrong while retrieving the SAML configuration, please check your settings.`

It’s probably a stupid mistake or something that I’m not aware off. Below is my authc config section:

authc:
  saml_auth_domain:
    enabled: true
    order: 1
    http_authenticator:
      type: saml
      challenge: true
      config:
        idp:
          metadata_url: https://xxxxxxx.xx.com/idp/xxxx
          entity_id: https://xxxx.xx.com/idp/xxxx
        sp:
          entity_id: elastic_xxxx
        kibana_url: http://kibana-server.subdomain.com:5601/
        roles_key: Role
        exchange_key: 'weewqrtyytruyiooiuasdsadsdkfjhasdhfoaiw...'
    authentication_backend:
      type: noop
  basic_internal_auth_domain:
    http_enabled: true
    transport_enabled: true
    order: 0
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      type: intern

If someone could help or point me how could I enable any sort of debugging it would really appreciate it. I already tried to change the log level to debug but sadly this doesn’t show my anything more.

UDPATE:

I’m not quite sure why as I wasn’t able to find any errors in the logs but metadata_url was a no go for me. I’ve changed that to metadata_file put the metadata file in the appropriate config directory - that appropriate word is crucial as if you put it in a different one you won’t get an error in the logs. Just the usual SAML configuration error.

Fixed the missing InResponseTo tag in the SAMLResponse and voila it works like a charm

tcrisall · August 21, 2019, 6:03pm

Hi there - thanks for the Update of hope. Any chance you could elaborate on which is the appropriate config directory? and where the missing tag was? (was that something needed in the metadata you created to describe opendistro as a SP?)

tcrisall · August 23, 2019, 4:18am

Ok - I’m back and have a few updates…

First - the docs outline the config directory… AND I got a bit further along on my adventure. I took my saml config straight out of the examples provided - and managed to finally tease the following error out of elasticsearch:

ERR: Seems /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml is not in Open Distro Security 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field “enabled”

it turns out that the ‘enabled’ it’s refering to is the one from the example config:

  saml_auth_domain:
     enabled: true

I got rid of the ‘enabled: true’ and now I’m to the point where I’m now getting redirected to my IDP

one other thing to note - I’m using docker images - and it seems that I have to connect to one of the elastic nodes and run securityadmin.sh with the -dg (which seems to reload all the configs as part of running diagnostics) to get it to actually pay attention to config file content.

Topic		Replies	Views
Unable to perform SAML Security	3	1736	February 27, 2020
SAML Authentication Not Working Security	8	2737	November 25, 2019
Unable to get SAML to work after upgrade OpenDistro troubleshoot , configure , upgrade	1	485	February 7, 2023
Debugging SAML with Open Distro Security	2	1029	April 19, 2021
Unable to configure SAML with Jumpcloud and Opendistro Security	10	1613	June 23, 2021

SAML configuration problems

Related topics