Authentication SAML - Authentication to realm saml1 failed - SAML Attribute [nameid:persistent] not found in saml attributes

Hi,
I'm trying to authenticate to Kibana using an IDP and SAML.

The version of Elasticsearch used is 7.2.0.

Starting from an application I try to authenticate myself on Kibana. The problem is that I haven't found much documentation and I currently receive the error .....

this is a section of saml on my elasticsearch.yml:

xpack.security.authc.token.enabled: true

xpack.security.authc.realms:
saml:
saml1:
order: 2
idp.metadata.path: saml/b-idp-metadata.xml
idp.entity_id: "https://xxx/idp"
sp.entity_id: "https://yyy:5601/sp/"
sp.acs: "https://yyy:5601/api/security/v1/saml"
attributes.principal: "nameid:persistent"
nameid_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"

this is a section of salm on my kibana.yml:

xpack.security.authProviders: [saml]
xpack.security.sessionTimeout: 1
server.xsrf.whitelist: [/api/security/v1/saml]

this is a section of attributes on identity provider:

ClaimsIdentity ci = new ClaimsIdentity();
ci.AddClaim(new Claim(ClaimTypes.NameIdentifier, subject)); // Subject -> NameID
ci.AddClaim(new Claim("principal", "nameid:persistent", ClaimValueTypes.String)); // AttributeStatement -> Attribute

        response.NameId = new Saml2NameIdentifier(ci.Claims.Where(c => c.Type == ClaimTypes.NameIdentifier).Select(c => c.Value).Single(), NameIdentifierFormats.Transient);
        response.ClaimsIdentity = ci;

this is the mapping that i configured:

PUT /_security/role_mapping/saml-kibana
{
"roles": [ "myrole" ],
"enabled": true,
"rules": { "all": [
{ "field": { "realm.name": "saml1" } }
] }
}

this is the message that i receive:

statusCode 401
error "Unauthorized"
message "[security_exception] unable to authenticate user [] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate={ 0="Bearer realm=\"security\"" & 1="ApiKey" & 2="Basic realm=\"security\" charset=\"UTF-8\"" } } }"

Can anyone help me?

thanks,
Giorgio

Please take some time to properly format your post using the </> button or ``` , as this will largely improve the chances that someone will read through the post and try to assist you. You can use the preview panel on the right to ensure that it looks right.

Hi there, have you found:

?

Does your cluster work fine without SAML, i.e. could you authenticate using one of the built-in users ?

attributes.principal: "nameid:persistent"
nameid_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"

This looks wrong. nameid_format configures Elasticsearch to request a specific NameID Format from the IdP in the SAML Authentication requests, while attributes.principal configures Elasticsearch to try and map the NameID with the specific format to the principle user property of the Elasticsearch user. You have requested Elasticsearch to ask for a NameID with "urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" format, but expect to receive a NameID with "urn:oasis:names:tc:SAML:2.0:nameid-format:peristent" in response - this will probably not work.
This looks like something that would cause the error message you share in the topic of your post but you don't mention it anywhere in the post, neither you provide the logs/ error message that includes this

Where do you get this error ? What actions do you perform in order to get this error ? How did you try to start the Can you please share the logs from elasticsearch and/or the logs from Kibana ?

Btw,

xpack.security.sessionTimeout: 1

this is most probably wrong. xpack.security.sessionTimeout is to be set in milliseconds so you probably do not want to set it to 1ms as all your kibana sessions will expire every 1ms.

Hi ikakavas, Thanks to your precious suggestions, now authentication is successful and I can see the page with the spaces. But, when I try to access to a space I see that in the url it compares https://xxxx/logout?next=%2F%23%3F_g%3D()&msg=**SESSION_EXPIRED** At that point I return to the spaces selection page again. This is the log:

{"type":"log","@timestamp":"2019-08-08T14:02:18Z","tags":["debug","legacy-proxy"],"pid":29087,"message":"Event is being forwarded: connection"}
{"type":"log","@timestamp":"2019-08-08T14:02:18Z","tags":["debug","legacy-service"],"pid":29087,"message":"Request will be handled by proxy POST:/api/spaces/v1/space/myspace/select."}
{"type":"error","@timestamp":"2019-08-08T14:02:18Z","tags":["debug","security","auth","session"],"pid":29087,"level":"error","error":{"message":"Unauthorized","name":"Error","stack":"Error: Unauthorized\n at validate (/home/elasticsearch/kibana-7.0.0-linux-x86_64/node_modules/hapi-auth-cookie/lib/index.js:173:36)"},"message":"Unauthorized"}
{"type":"log","@timestamp":"2019-08-08T14:02:18Z","tags":["debug","security","saml"],"pid":29087,"message":"Trying to authenticate user request to /api/spaces/v1/space/myspace/select."}
{"type":"log","@timestamp":"2019-08-08T14:02:18Z","tags":["debug","security","saml"],"pid":29087,"message":"Trying to authenticate via header."}
{"type":"log","@timestamp":"2019-08-08T14:02:18Z","tags":["debug","security","saml"],"pid":29087,"message":"Authorization header is not presented."}
{"type":"log","@timestamp":"2019-08-08T14:02:18Z","tags":["debug","security","saml"],"pid":29087,"message":"Trying to authenticate via SAML response payload."}
{"type":"log","@timestamp":"2019-08-08T14:02:18Z","tags":["debug","security","saml"],"pid":29087,"message":"SAML response payload is not found."}
{"type":"log","@timestamp":"2019-08-08T14:02:18Z","tags":["debug","security","saml"],"pid":29087,"message":"Trying to initiate SAML handshake."}
{"type":"log","@timestamp":"2019-08-08T14:02:18Z","tags":["debug","security","saml"],"pid":29087,"message":"SAML handshake can not be initiated by AJAX requests."}
{"type":"log","@timestamp":"2019-08-08T14:02:18Z","tags":["license","debug","xpack"],"pid":29087,"message":"Calling [data] Elasticsearch _xpack API. Polling frequency: 30001"}

I increased the timeout value further and everything seems to work regularly.

Thanks for the support.

G

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.