SAML does not work with Okta or Azure AD. PLEASE HELP!

alfonsorbj · August 20, 2020, 11:07am

Hello everyone!!

In previous versions of Open Distro I have managed to set SAML with Okta and Azure Ad, but when setting it for Open Distro 1.9.0 (Docker images) I can’t make it work, getting the error customerror?type=samlConfigError and not being able to see anything relevant in the logs. The same configuration that I use works in version 1.8.0, but when uploading to 1.9.0 it fails.

This is an example of my configuration in Azure AD:

saml_auth_domain:
            http_enabled: true
            transport_enabled: true
            order: 1
            http_authenticator:
              type: saml
              challenge: true
              config:
                idp:
                  metadata_url: https://login.microsoftonline.com/...
                  entity_id: https://sts.windows.net/.../
                sp:
                  entity_id: odfe-saml-2
                kibana_url: <Kibana URL>
                roles_key: Roles
                exchange_key: 'MIIC...'           
            authentication_backend:
              type: noop

Okta sample:

    authc:
      saml_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: https://....okta.com/...
              entity_id: http://www.okta.com/...
            sp:
              entity_id: odfe-saml
            kibana_url: <Kibana URL>
            roles_key: Roles
            exchange_key: MIID...
        authentication_backend:
          type: noop

Please, I need this to work. I appreciate all kinds of help.

Best regards

alfonsorbj · August 24, 2020, 11:07am

Hello team,

Any updates here? Did anyone get SAML working with Okta and Azure AD?

Regards

Anthony · March 3, 2021, 6:12pm

Hi @alfonsorbj Can you share the kibana.yml file? I just set up SAML via okta with 1.9 and everything is working as expected. My kibana entries are:

opendistro_security.auth.type: "saml"
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]

If yours look similar it would indicate thats the issue is with the okta/Azure side.

vikasgurlinka · May 27, 2021, 6:36pm

@Anthony @alfonsorbj
I am trying to do Azure AD SAML integration, having the below exception, could you please let me know if the exchange key embedded in the metadata URL or where can I find it in Azure AD ?

java.lang.Exception: Settings for key exchange missing. Please specify at least the option exchange_key with a shared secret.

Anthony · May 28, 2021, 9:54am

@vikasgurlinka can you try the below:

saml_auth_domain:
  http_enabled: true
  transport_enabled: false
  order: 1
  http_authenticator:
    type: saml
    challenge: true
    config:
      idp:
        metadata_url: https://login.microsoftonline....
        entity_id: "https://sts.windows.net...."
      sp:
        entity_id: "Azure_SAML"
      kibana_url: "http://localhost:5601"
      roles_key: "roles"
      exchange_key: '12345678901234567890123456789012'
  authentication_backend:
    type: noop

Topic		Replies	Views
SAML configuration for Open Distro with AzureAD Security troubleshoot , configure	2	1411	July 19, 2022
Unable to perform SAML Security	3	1746	February 27, 2020
Okta/Saml authentication Security	3	1343	July 8, 2021
Unable to get SAML to work after upgrade OpenDistro troubleshoot , configure , upgrade	1	491	February 7, 2023
SAML Authentication not working for Kibana Security	6	3210	May 14, 2021

SAML does not work with Okta or Azure AD. PLEASE HELP!

Related topics