I've tested Kibana /ElasticSearch 6.2.4 SAML Authentication with MS ADFS and noticed a strange behavoir.
The elasticsearch.yml file contains the following config:
If ADFS is configured to just send UPN from AD by using "Send LDAP Attributes as Claims" ADFS show up the follwing message in log:
The SAML authentication request had a NameID Policy that could not be satisfied.
Name identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: False Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: . Actual NameID properties: Format: , NameQualifier: SPNameQualifier: , SPProvidedId: .
The ElasticSearch-Log shows up:
[WARN ][o.e.x.s.a.AuthenticationService] [hostname] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[SAML Response is not a 'success' response: Code=urn:oasis:names:tc:SAML:2.0:status:Requester Message=null Detail=null])
If I also configure custom tranformation rules to also provide an nameid attribute described in the follwing article the login works correctly: https://blogs.msdn.microsoft.com/card/2010/02/17/name-identifiers-in-saml-assertions/
Could it be, that the SAML-Plugin always requests the urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier attribute whether it is used within elasticsearch or not? If so it would be great if this could be fixed because ADFS would be much easier to configure if the attribute wouldn't be requested.