Azure active directory integration with elasticsearch

Thanks @ikakavas will check it

I am able to authenticate the user but not the role assigned to it in role_mapping.yml file. Getting following error

{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [sanket07@detaropwmail2com.onmicrosoft.com]"}],"type":"security_exception","reason":"action [cluster:monitor/main] is unauthorized for user [sanket07@detaropwmail2com.onmicrosoft.com]"},"status":403}

AD Domain service : pros*.onmicrosoft.com
Azure AD default : detaropwmail2com.onmicrosoft.com
users:
name: sanket username: sanket07

role_mapping.yml

superuser:
  - "cn=sanket07,dc=prospera,dc=onmicrosoft,dc=com"

elasticsearch.yml

xpack:
  security:
    authc:
      realms:
        active_directory:
          my_ad:
            order: 0
            domain_name: prospera.onmicrosoft.com
            files:
              role_mapping: "/etc/elasticsearch/role_mapping.yml"

I can only imagine that the DN of your user in your AD is not cn=sanket07,dc=prospera,dc=onmicrosoft,dc=com.

You need to figure out what the DN of your user is and use that in the configuration. The easiest way to do this is from within your Active Directory instance, so please try this first.

If you can't figure this out from AD, then you could enable extra logging in elasticsearch and specifically set

org.elasticsearch.xpack.security.authc.support.mapper

and

org.elasticsearch.xpack.security.authc.ldap

to TRACE and look at the Elasticsearch logs, as these will contain the information retrieved for your user from AD ( and the DN among them )

Thanks a ton @ikakavas!!!
Enabled the logs and found out the correct DN
It worked!!:+1:

Hi,
any idea of integrating azure b2c active directory with elasticsearch??

Hi,

I have no idea what this question means. Please add necessary information and details in your questions, this will make it considerably easier for people in these forums to assist you.

  • What is b2c active directory ?
  • What do you mean by "integrating" ?

B2C active directory allows users to login using identity providers like amazon, facebook etc.
I want to authenticate elasticsearch using these accounts and not the predefined users as I did it in active directory

It looks like Azure AD B2C can operate as an OpenID Connect Provider, so it looks like you could Elasticsearch's OpenID Connect authentication realm for this

Now i am able to redirect kibana to login page but getting below error in elasticsearch logs

[Elasticsearch] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[SAML content is in-response-to _a5e013e54993435826399194d0d04aa0b87d685f but expected one of [_08363809bbcab6ae5fd6f32673a3eea7b38bec09] ])

[WARN ][o.e.x.s.a.AuthenticationService] [Elasticsearch] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[Failed to parse SAML message]; nested: SAXParseException[cvc-complex-type.2.4.a: Invalid content was found starting with element 'IsPolicySpecificError'. One of '{"urn:oasis:names:tc:SAML:2.0:protocol":StatusDetail}' is expected.];)

After enabling trace logs

What should be the reply URL set to for the elasticsearch application in azure?

current reply urls:

You should share a larger part of the logs, preferably one that contains the message the Azure AD is sending , but this doesn't look like a SAML Response

I have no idea what reply URL is in the context of the "elasticsearch application in Azure" so I can't help with that. If you want to share more details and information we might get to the bottom of this, but this is not a standard piece of information we have the answer for ready..

This is the log generated when I try to signup , user is registered in active directory but
getting unable to authenticate user error on kibana dashboard

 [2019-11-01T06:33:25,613][TRACE][o.e.x.s.a.s.SamlRealm    ] [Elasticsearch] Constructed SAML Authentication Request: <?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://52.186.177.140:5601/api/security/v1/saml" Destination="https://elasticsso.b2clogin.com/elasticsso.onmicrosoft.com/B2C_1A_signup_signin_SAML/samlp/sso/login" ID="_4a28414ef2a9100cdad84c795543a5a9164534ca" IssueInstant="2019-11-01T06:33:25.595Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
      <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://52.186.177.140:5601/</saml2:Issuer>
      <saml2p:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/>
    </saml2p:AuthnRequest>

If i try to use exsting credentials then i get invalid username or password and no logs are generated

xpack.security.authc.realms:
   saml:
     saml1:
       order: 0
       idp.metadata.path: "https://elasticsso.b2clogin.com/elasticsso.onmicrosoft.com/B2C_1A_signup_signin_SAML/Samlp/metadata"
       idp.entity_id: "https://elasticsso.b2clogin.com/elasticsso.onmicrosoft.com/B2C_1A_signup_signin_SAML"
       sp.entity_id:  "https://52.186.177.140:5601/"
       sp.acs: "https://52.186.177.140:5601/api/security/v1/saml"
       sp.logout: "https://52.186.177.140:5601/logout"
       attributes.principal: "email:persistent"

I am unable to figure out the significance of attributes.principal attribute and from where to get the value for that attribute?

Hi @ikakavas

Now i am able to authenticate using saml realm but getting 403 forbidden error as roles are not assigned.

How to assign roles as I can't use the api for role mapping as the elastic user won't work now?

Do i need to disable realm, add role mapping and then again enable realm?

https://www.elastic.co/guide/en/elasticsearch/reference/current/saml-kibana.html#saml-kibana-basic

Thank you!!! @ikakavas

Hi,
Now I have implemented saml authentication using Auth0 as IDP. I wanted to ask is there a way to use the saml authenticated users which are store in auth0 to access the elasticsearch API's ??

Beacuse I can only access kibana API's using those users.

No, not really. We support the SAML 2.0 Web Browser Single Sign On profile, which as the name suggests is geared towards browser based access. What's more, in out architecture Elasticsearch+Kibana constitute a SAML Service Provider together so it's not that straightforward to decouple these two.We also don't store any shadow users on ES side.

We have information on how to use SAML for authentication without Kibana, here but this would require that you build and use a custom web application on your side and is targeted for power users that require specifically this kind of functionality.

I would suggest that you look into our API Keys so that your users can authenticate via SAML and then get themselves an API key that they can use for accessing the REST APIs. You'll need to grant your users a role that gives them the manage_own_api_key privilege for them to be able to do that. This approach also might have caveats though as for instance, once they log in via SAML And get an API key, they would be able to bypass SAML authentication from then on and just use the API key to access elasticsearch, which might or might not be ok for your use case

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.