SAML with Keycloak - Error: failed parsing SAML config

gferrette · June 29, 2021, 5:52pm

Hello,

I’m trying to configure ODFE 1.13.2 to work with Keycloak by SAML, but i’m facing the error below:
Please, am I doing something wrong?

kibana: Error: failed parsing SAML config
kibana: at SecurityClient.getSamlHeader (/usr/share/kibana/plugins/opendistroSecurityKibana/server/backend/opendistro_security_client.ts:176:15)
kibana: at process._tickCallback (internal/process/next_tick.js:68:7)

My config:

saml_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_url: “https://URL/protocol/saml/descriptor”
entity_id: “https://URL/auth/realms/dummy-auth”
sp:
entity_id: kibana.amb.hm.tst
kibana_url: “https://kibana.amb.hm.tst/”
roles_key: Role
exchange_key: ‘dummykey’
authentication_backend:
type: noop

pablo · June 30, 2021, 9:02am

Hello @gferrette

Could you share Kibana and Keycloack SAML config?

gferrette · June 30, 2021, 11:24am

Hello @pablo !

Thanks for replying, follow below kibana config:

Just a question, we are using kibana without https inside the server because we only access kibana behind a reverse proxy, and the reverse proxy is secure with https. Do we need to use kibana with https inside server to work with SAML?

server.port: PORT
server.host: “IP”
elasticsearch.hosts: http://IP:PORT
elasticsearch.ssl.verificationMode: none
elasticsearch.username: username
elasticsearch.password: password
elasticsearch.requestHeadersWhitelist: [“securitytenant”,“Authorization”]

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.enable_private: false
opendistro_security.multitenancy.tenants.enable_global: false
opendistro_security.multitenancy.tenants.preferred: [“Global”, “Private”]
opendistro_security.readonly_mode.roles: [“kibana_read_only”]

opendistro_security.basicauth.header_trumps_session: true

kibana.autocompleteTerminateAfter: 500000

#SAML
opendistro_security.auth.type: “saml”
server.xsrf.whitelist: [“/_opendistro/_security/saml/acs”, “/_opendistro/_security/saml/logout”]

opendistro_security.cookie.secure: false

newsfeed.enabled: false
telemetry.optIn: false
telemetry.enabled: false
security.showInsecureClusterWarning: false

map.includeElasticMapsService: false

pablo · June 30, 2021, 12:05pm

@gferrette

In your config.yml I’ve found that you use metadata_url with keycloak’s HTTPS address. According to documentation, you’ll have to add the following to your config.yml to make it work.

   enable_ssl: true
   verify_hostnames: true
   pemtrustedcas_filepath: "path to keycloak certificate"

Alternatively, you could download the metadata XML file from keycloak

and use metadata_file in config.yml. Then you won’t need to add

   enable_ssl: true
   verify_hostnames: true
   pemtrustedcas_filepath: "path to keycloak certificate"

Please also remember that exchange_key must have at least 32 characters.

Does sp: entity_id correspond with SAML ClientID in Keycloak?

Topic		Replies	Views
Error failed parsing SAML config Security	11	4288	July 12, 2023
Unable to perform SAML Security	3	1642	February 27, 2020
Kibana sso+ keycloak Security	1	550	February 15, 2021
Unable to configure SAML with Jumpcloud and Opendistro Security	10	1525	June 23, 2021
Failing to configure SAML between OpenSearch and Keycloak Security configure	8	1230	February 28, 2023

SAML with Keycloak - Error: failed parsing SAML config

Related Topics