I have gone through the docs from Elasticsearch and implemented SSO, however I'm getting below error while authenticating with Azure AD user.
Can you please help me with this?
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "unable to authenticate user [username] for REST request [/]",
"header": {
"WWW-Authenticate": [
"Bearer realm=\"security\"",
"ApiKey",
"Basic realm=\"security\" charset=\"UTF-8\""
]
}
}
],
"type": "security_exception",
"reason": "unable to authenticate user [username] for REST request [/]",
"header": {
"WWW-Authenticate": [
"Bearer realm=\"security\"",
"ApiKey",
"Basic realm=\"security\" charset=\"UTF-8\""
]
}
},
"status": 401
}
Please share your configuration with us and give us some more context. When do you get this error ? How are you trying to authenticate via SAML ? It looks like you're hitting the Elasticsearch REST API directly, but you'd need to use Kibana to authenticate via SAML .
See our configuration guide and an introductory blog post explaining how SAML works with the Elastic Stack. We also have a specific blog post for setting up SAML with Azure AD, have you read these ?
Hi @ikakavas
Thanks you!
Actually there was mistake in Kibana configuration and now I'm able to authenticate with Azure AD. However I guess still there is something wrong with authorization. I'm getting below error while accessing Kibana URL.
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}
I can already see a few things that are wrong with your config but let's get the logs first and see what fails.
attributes.principal: "nameid:Persistent"
The value of this synthetic attribute name is nameid:persistent , not nameid:Persistent, this is case sensitive. You'd need to also configure Azure AD to release a NameID with persistent format, in order for this mapping to work. Please also read the docs on what this mapping means, it's in the configuration guide I shared in my previous post
attributes.groups: "groups"
This is almost certainly misconfigured too. There is no "groups" attribute that Azure AD releases, you need to check your Azure AD configuration, see what attributes are released and which one of them carries the group information and use that in place of "groups" here to be mapped to attributes.groups.
Hi @ikakavas,
Thanks for your inputs.
I have gone through the docs you mentioned and tried updating attributes.principal however either I'm not able to understand the concept or there something really confusing.
Still issue is not resolved
attaching debug logs for reference:
[instance-0000000013] path: /_xpack/security/saml/authenticate, params: {} org.elasticsearch.ElasticsearchSecurityException: unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate] at org.elasticsearch.xpack.core.security.support.Exceptions.authenticationError(Exceptions.java:18) ~[x-pack-core-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.core.security.authc.DefaultAuthenticationFailureHandler.createAuthenticationError(DefaultAuthenticationFailureHandler.java:163) ~[x-pack-core-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.core.security.authc.DefaultAuthenticationFailureHandler.failedAuthentication(DefaultAuthenticationFailureHandler.java:97) ~[x-pack-core-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.AuthenticationService$AuditableTransportRequest.authenticationFailed(AuthenticationService.java:644) ~[x-pack-security-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.consumeUser(AuthenticationService.java:487) ~[x-pack-security-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$16(AuthenticationService.java:402) ~[x-pack-security-6.7.0.jar:6.7.0] at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:61) ~[elasticsearch-6.7.0.jar:6.7.0] at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:43) ~[elasticsearch-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.core.common.IteratingActionListener.onResponse(IteratingActionListener.java:115) ~[x-pack-core-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$13(AuthenticationService.java:386) ~[x-pack-security-6.7.0.jar:6.7.0] at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:61) ~[elasticsearch-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.saml.SamlRealm.buildUser(SamlRealm.java:424) ~[x-pack-security-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.saml.SamlRealm.authenticate(SamlRealm.java:406) ~[x-pack-security-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$15(AuthenticationService.java:363) ~[x-pack-security-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.core.common.IteratingActionListener.onResponse(IteratingActionListener.java:117) ~[x-pack-core-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$15(AuthenticationService.java:396) ~[x-pack-security-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.core.common.IteratingActionListener.onResponse(IteratingActionListener.java:117) ~[x-pack-core-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$15(AuthenticationService.java:396) ~[x-pack-security-6.7.0.jar:6.7.0]
If you can suggest what changes I need to perform on both the end it would be really helpfull.
The error is still the same, and as I shared with you above in our documentation the reason is probably further down in the same logs.
I'd suggest you'd better consult your support engineer on this as there is no easy way to setup this without you taking care of the Azure AD side and I have very limited experience with it. For example you need to know what NameID format is the Azure AD SAML IDP sending in their SAML Responses before we can suggest you how to configure Elasticsearch realm to map it to attributes.principal .
Going through support will ensure that you can share logs and information about your Azure AD environment and we can better assist you setting this up
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.