SAML encrypted assertion problem


I’m trying to set up SAML with opendistro but it seems there is a problem with encrypted assertions.

At the moment, I am correctly redirected to my IdP, I enter my credentials, and I’m correctly redirected to Kibana.

But then, I’m getting a “SAML authentication error. The SAML authentication failed. Please contact your administrator.” Error.

Looking into the logs I have this :

[2019-04-26T14:10:02,782][ERROR][c.a.d.a.h.s.AuthTokenProcessorHandler] [elastic] Error while converting SAML to JWT
com.onelogin.saml2.exception.SettingsException: No private key available for decrypt, check settings
at com.onelogin.saml2.authn.SamlResponse.decryptAssertion( ~[java-saml-core-2.3.0.jar:?]
at com.onelogin.saml2.authn.SamlResponse.loadXmlFromBase64( ~[java-saml-core-2.3.0.jar:?]
at [opendistro_security_advanced_modules-]
at [opendistro_security_advanced_modules-]
at$000( [opendistro_security_advanced_modules-]
at$ [opendistro_security_advanced_modules-]
at$ [opendistro_security_advanced_modules-]
at Method) [?:?]

It fails in decryptAssertion, which means that encrypted assertions are detected.
However I do not see any option in opendistro security to enable/disable assertion encryption, and I do not see any key passed to onelogin to decrypt this assertion.

Am I missing something ?

I tried to google it without luck


Ran into this same issue. These changes fixed it for me: SAML Add Support For Encrypted Assertions by jcleezer · Pull Request #29 · opendistro-for-elasticsearch/deprecated-security-advanced-modules · GitHub

Curious if there’s a solution that works with the current security module, as the link jleezer posted above is for a deprecated module. We have ES/Kibana configured for SAML authentication in Okta and sort of blindly managed to get Okta configured to allow us to initiate from either the IdP or SP, but we’d like to know more about what the security plugin is doing to provide the correct SAML response in either case and the encrypted assertion makes this impossible.

New PR: