SAML with Keycloak - Error: failed parsing SAML config


I’m trying to configure ODFE 1.13.2 to work with Keycloak by SAML, but i’m facing the error below:
Please, am I doing something wrong?

kibana: Error: failed parsing SAML config
kibana: at SecurityClient.getSamlHeader (/usr/share/kibana/plugins/opendistroSecurityKibana/server/backend/opendistro_security_client.ts:176:15)
kibana: at process._tickCallback (internal/process/next_tick.js:68:7)

My config:

http_enabled: true
transport_enabled: false
order: 1
type: saml
challenge: true
metadata_url: “https://URL/protocol/saml/descriptor
entity_id: “https://URL/auth/realms/dummy-auth
kibana_url: “
roles_key: Role
exchange_key: ‘dummykey’
type: noop

Hello @gferrette

Could you share Kibana and Keycloack SAML config?

Hello @pablo !

Thanks for replying, follow below kibana config:

Just a question, we are using kibana without https inside the server because we only access kibana behind a reverse proxy, and the reverse proxy is secure with https. Do we need to use kibana with https inside server to work with SAML?

server.port: PORT “IP”
elasticsearch.hosts: http://IP:PORT
elasticsearch.ssl.verificationMode: none
elasticsearch.username: username
elasticsearch.password: password
elasticsearch.requestHeadersWhitelist: [“securitytenant”,“Authorization”]

opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.enable_private: false
opendistro_security.multitenancy.tenants.enable_global: false
opendistro_security.multitenancy.tenants.preferred: [“Global”, “Private”]
opendistro_security.readonly_mode.roles: [“kibana_read_only”]

opendistro_security.basicauth.header_trumps_session: true

kibana.autocompleteTerminateAfter: 500000

opendistro_security.auth.type: “saml”
server.xsrf.whitelist: [“/_opendistro/_security/saml/acs”, “/_opendistro/_security/saml/logout”] false

newsfeed.enabled: false
telemetry.optIn: false
telemetry.enabled: false
security.showInsecureClusterWarning: false

map.includeElasticMapsService: false


In your config.yml I’ve found that you use metadata_url with keycloak’s HTTPS address. According to documentation, you’ll have to add the following to your config.yml to make it work.

   enable_ssl: true
   verify_hostnames: true
   pemtrustedcas_filepath: "path to keycloak certificate"

Alternatively, you could download the metadata XML file from keycloak


and use metadata_file in config.yml. Then you won’t need to add

   enable_ssl: true
   verify_hostnames: true
   pemtrustedcas_filepath: "path to keycloak certificate"

Please also remember that exchange_key must have at least 32 characters.

Does sp: entity_id correspond with SAML ClientID in Keycloak?