SAML configuration problems

I’ve spent almost a day trying to configure SAML with no luck… I always end with:

SAML configuration error
Something went wrong while retrieving the SAML configuration, please check your settings.`

It’s probably a stupid mistake or something that I’m not aware off. Below is my authc config section:

    enabled: true
    order: 1
      type: saml
      challenge: true
          entity_id: elastic_xxxx
        roles_key: Role
        exchange_key: 'weewqrtyytruyiooiuasdsadsdkfjhasdhfoaiw...'
      type: noop
    http_enabled: true
    transport_enabled: true
    order: 0
      type: basic
      challenge: false
      type: intern

If someone could help or point me how could I enable any sort of debugging it would really appreciate it. I already tried to change the log level to debug but sadly this doesn’t show my anything more.


I’m not quite sure why as I wasn’t able to find any errors in the logs but metadata_url was a no go for me. I’ve changed that to metadata_file put the metadata file in the appropriate config directory - that appropriate word is crucial as if you put it in a different one you won’t get an error in the logs. Just the usual SAML configuration error.

Fixed the missing InResponseTo tag in the SAMLResponse and voila it works like a charm :smile:

Hi there - thanks for the Update of hope. Any chance you could elaborate on which is the appropriate config directory? and where the missing tag was? (was that something needed in the metadata you created to describe opendistro as a SP?)

Ok - I’m back and have a few updates…

First - the docs outline the config directory… AND I got a bit further along on my adventure. I took my saml config straight out of the examples provided - and managed to finally tease the following error out of elasticsearch:

ERR: Seems /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/config.yml is not in Open Distro Security 7 format: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field “enabled”

it turns out that the ‘enabled’ it’s refering to is the one from the example config:

     enabled: true

I got rid of the ‘enabled: true’ and now I’m to the point where I’m now getting redirected to my IDP

one other thing to note - I’m using docker images - and it seems that I have to connect to one of the elastic nodes and run with the -dg (which seems to reload all the configs as part of running diagnostics) to get it to actually pay attention to config file content.