Unable to perform SAML

Security
1

Hi Team,

I followed articles: https://opendistro.github.io/for-elasticsearch-docs/docs/security-configuration/saml/ and Add Single Sign-On (SSO) to Open Distro for Elasticsearch Kibana using SAML and Okta | AWS Open Source Blog.

I am currently getting the following error:

SAML configuration error. Something went wrong while retrieving the SAML configuration, please check your settings.

In Elasticsearch logs (after enabling debug i see following)

[2019-11-07T02:28:32,174][WARN ][c.a.o.s.a.BackendRegistry] [odfe-node1] Authentication finally failed for null from 172.18.0.2:47336

If i look at Chrome Dev Tools. the SAML assertion is never made nor do we see entries to our IDP.

My config.yml looks like:

authc: 
  basic_internal_auth_domain: 
    http_authenticator: 
      authentication_backend: 
        saml_auth_domain: 
          http_authenticator: 
            challenge: true
            config: 
              idp: 
                entity_id: "http://www.okta.com/<<HIDDEN>>"
                metadata_url: "https://mydomain.okta.com/app/<<HIDDEN>>/sso/saml/metadata"
                sp: 
                  authentication_backend: 
                    type: noop
                  entity_id: kibana-saml
                  kibana_url: "https://<<HIDDEN>>"
                  roles_key: Role
            type: saml
          http_enabled: true
          order: 1
          transport_enabled: false
        type: intern
      challenge: false
      type: basic
    http_enabled: true
    order: 0
    transport_enabled: true

My Kibana.yml has added:

opendistro_security.auth.type: "saml"
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]

I tried reapply settings and no issues reported:
./securityadmin.sh -cd ../securityconfig/ -icl -nhnv -cacert ../../../config/root-ca.pem -cert ../../../config/kirk.pem -key ../../../config/kirk-key.pem

Response from command is:

Open Distro Security Admin v7
Will connect to localhost:9300 ā€¦ done
Connected as CN=kirk,OU=client,O=client,L=test,C=de
Elasticsearch Version: 7.2.0
Open Distro Security Version: 1.2.0.0
Contacting elasticsearch cluster ā€˜elasticsearchā€™ and wait for YELLOW clusterstate ā€¦
Clustername: odfe-cluster
Clusterstate: GREEN
Number of nodes: 2
Number of data nodes: 2
.opendistro_security index already exists, so we do not need to create one.
Populate config from /usr/share/elasticsearch/plugins/opendistro_security/securityconfig
Will update ā€˜_doc/configā€™ with ā€¦/securityconfig/config.yml
SUCC: Configuration for ā€˜configā€™ created or updated
Will update ā€˜_doc/rolesā€™ with ā€¦/securityconfig/roles.yml
SUCC: Configuration for ā€˜rolesā€™ created or updated
Will update ā€˜_doc/rolesmappingā€™ with ā€¦/securityconfig/roles_mapping.yml
SUCC: Configuration for ā€˜rolesmappingā€™ created or updated
Will update ā€˜_doc/internalusersā€™ with ā€¦/securityconfig/internal_users.yml
SUCC: Configuration for ā€˜internalusersā€™ created or updated
Will update ā€˜_doc/actiongroupsā€™ with ā€¦/securityconfig/action_groups.yml
SUCC: Configuration for ā€˜actiongroupsā€™ created or updated
Will update ā€˜_doc/tenantsā€™ with ā€¦/securityconfig/tenants.yml
SUCC: Configuration for ā€˜tenantsā€™ created or updated
Done with success

Any assistance on troubleshooting would be appreciated.

2

The blogs posts, while helpful, are formatted badly. After a lot of playing, I figured out that it needs to be:

  saml_auth_domain:
     http_enabled: true
     transport_enabled: false
     order: 1
     http_authenticator:
       type: saml
       challenge: true
       config:
         idp:
           metadata_file: saml.xml
           entity_id: (entity_url)
         sp:
           entity_id: (entity-id)
         kibana_url: (kibana_url)
         roles_key: roles
         exchange_key: 'somestringthatyouprovide'

I wish whoever was running the blog would proofread. :frowning:

1 Like
3

That did the trick. Thanks.

4

What was the solution here?