SAML issue on logout

Hello Community,
I faced an issue with the SAML configuration when certificates are provided for Request signing.
Version: Opendistro 1.12.0
Provider: PingID
These are the configurations:

  entity_id: saml
  forceAuthn: true
  signature_private_key_filepath: '/etc/elasticsearch/certs/elasticsearch.key'

On the Identity Provider side I configured this SLO: https://<kibana_ip>/auth/logout and provided the .pem certificate.
On the kibana.yml file I’ve configured this:

opendistro_security.auth.type: "saml"
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/auth/logout"]

But I am receiving this error on the browser when I logout the user:


This is the request of the error:


I hope this information is useful to help me solve the issue.

Hello @Lord_Zetas

Could you share your PingID configuration?
Did you try to use below line in your IDP instead?


Exact same issue.


  • SIGNING CERTIFICATE: PingOne SSO Certificate for Administrators environment
  • Sing Assertion & Response
  • ENCRYPTION Disabled
  • ENTITY ID: saml
  • SLO BINDING: HTTP Redirect
  • Enforce Signed Authn Request
  • VERIFICATION CERTIFICATE: node-1 (elasticsearch) Valid 03-21 to 03-31

One thing I want to clarify is the fact that the same configuration in OpenDistro 1.10 is working as expected (I was not able to test it in 1.11)

@Lord_Zetas thanks for that info. Have you tried 1.13?
I had couple issues with 1.11 and 1.12 in regards to self-signed certs and openid. Maybe SAML got affected too.

Have you got any warnings/errors in Kibana/ES logs?

Pablo, thanks for the Help.
I did not tried with that version yet.
In kibana I don’t see warnings or errors, just the action being logged in.
In Elastic I have only this warning:
[2021-04-15T16:45:20,608][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [node-1] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
Thanks in advance!

Hello Pablo,
I am confirming that I ran into the same issue with OpenDistro 1.13:
Do you think I should raise an issue in github?

Hello @Lord_Zetas

I’ve forgotten to ask. Your kibana URL doesn’t contain port number (5601). Do you run proxy in front of Kibana?

Hello Pablo,
No, I have configured port 443 in kibana.yml and I applied this config to the server:
setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
So, I can access it directly to 443 port through HTTPS.

Hello @Lord_Zetas

I’ve done further testing and got the same results. Logout is working up to 1.11 but starting from 1.12 I’m getting the same error as you.


In my lab I use Keycloak instead of PingID however, based on the above this is not an IDP platform issue.

Hi @pablo and @Lord_Zetas ,

I managed to get a workaround for this issue. The problem seems to be that the parameter authInfo.sso_logout_url comes with the SLO URL and it is taken as unauthorized (in my case and with Ping Identity IdP is in the form<tenant>/saml20/idp/slo ).

So I changed the redirect URL that is injected on the location of the response header.

  • Edit the file /usr/share/kibana/plugins/opendistroSecurityKibana/server/auth/types/saml/routes.js
  • Go to the path: /auth/logout part of the code.
  • Change the redirectUrl constant assignment

const redirectUrl = authInfo.sso_logout_url || this.coreSetup.http.basePath.serverBasePath || ‘/’;

with for example

const redirectUrl = `${this.coreSetup.http.basePath.serverBasePath}/app/kibana`;

  • Restart Kibana.


1 Like

Dear community,
CC: @Lord_Zetas @pablo

Is there any update on this issue? We are using 1.13.2 and facing the same issue.

dariommr’s issue: SAML issue on logout (with Signing Request) · Issue #1 · opendistro-for-elasticsearch/security · GitHub is in the archived state as well.