ADFS SAML Authentication in Elastic Stack

Hi there,

I've tested Kibana /ElasticSearch 6.2.4 SAML Authentication with MS ADFS and noticed a strange behavoir.

The elasticsearch.yml file contains the following config:
xpack.security.authc.realms.saml1:
type: saml
order: 1
idp.metadata.path: https://adfs.fqdn.com/federationmetadata/2007-06/federationmetadata.xml
idp.entity_id: "http://adfs.fqdn.com/adfs/services/trust"
sp.entity_id: "https://kibana.fqdn.com/"
sp.acs: "https://kibana.fqdn.com:443/api/security/v1/saml"
sp.logout: "https://kibana.fqdn.com/logout"
attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"

If ADFS is configured to just send UPN from AD by using "Send LDAP Attributes as Claims" ADFS show up the follwing message in log:

The SAML authentication request had a NameID Policy that could not be satisfied.
Requestor: https://kibana.fqdn.com/
Name identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
SPNameQualifier:
Exception details:
MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: . Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId: .

The ElasticSearch-Log shows up:

[WARN ][o.e.x.s.a.AuthenticationService] [hostname] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[SAML Response is not a 'success' response: Code=urn:oasis:names:tc:SAML:2.0:status:Requester Message=null Detail=null])

If I also configure custom tranformation rules to also provide an nameid attribute described in the follwing article the login works correctly: https://blogs.msdn.microsoft.com/card/2010/02/17/name-identifiers-in-saml-assertions/

Could it be, that the SAML-Plugin always requests the urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier attribute whether it is used within elasticsearch or not? If so it would be great if this could be fixed because ADFS would be much easier to configure if the attribute wouldn't be requested.

Best regards

Elasticsearch's SAML implementation always includes a NameIDPolicy in the AuthnRequest, although the format of that NameID is configurable.
We should provide a mechanism to disable the NameID policy entirely, but current versions do not offer that.

Thanks a lot TimV. Defining the nameid_format is the solution. For everyone who is interested in my working ADFS elasticsearch.yml-Config:

#SAML Config
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.native1:
type: native
order: 0
xpack.security.authc.realms.saml1:
type: saml
order: 1
idp.metadata.path: https://adfs.fqdn.com/federationmetadata/2007-06/federationmetadata.xml
idp.entity_id: "http://adfs.fqdn.com/adfs/services/trust"
sp.entity_id: "https://kibana.fqdn.com/"
sp.acs: "https://kibana.fqdn.com/api/security/v1/saml"
sp.logout: "https://kibana.fqdn.com/logout"
attributes.principal: "nameid"
attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
nameid_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

Within in ADFS you only need to configure "Send LDAP Attributes as Claims" with an UPN or whatever you want as identifyer. I also send the LDAP-Attribute "Token-Groups - Unqualified Names" as role-claim to map my AD-groups within ES.

Best regards.

2 Likes

I'm glad that worked for you, and thanks for the followup - I'm sure your example config will be very helpful to others.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.