Azure Active directory, SAML authentication

I have gone through the docs from Elasticsearch and implemented SSO, however I'm getting below error while authenticating with Azure AD user.
Can you please help me with this?

{
    "error": {
        "root_cause": [
            {
                "type": "security_exception",
                "reason": "unable to authenticate user [username] for REST request [/]",
                "header": {
                    "WWW-Authenticate": [
                        "Bearer realm=\"security\"",
                        "ApiKey",
                        "Basic realm=\"security\" charset=\"UTF-8\""
                    ]
                }
            }
        ],
        "type": "security_exception",
        "reason": "unable to authenticate user [username] for REST request [/]",
        "header": {
            "WWW-Authenticate": [
                "Bearer realm=\"security\"",
                "ApiKey",
                "Basic realm=\"security\" charset=\"UTF-8\""
            ]
        }
    },
    "status": 401
}

Thanks

Hi there,

Please share your configuration with us and give us some more context. When do you get this error ? How are you trying to authenticate via SAML ? It looks like you're hitting the Elasticsearch REST API directly, but you'd need to use Kibana to authenticate via SAML .

See our configuration guide and an introductory blog post explaining how SAML works with the Elastic Stack. We also have a specific blog post for setting up SAML with Azure AD, have you read these ?

Hi @ikakavas
Thanks you!
Actually there was mistake in Kibana configuration and now I'm able to authenticate with Azure AD. However I guess still there is something wrong with authorization. I'm getting below error while accessing Kibana URL.

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}

Elasticsearch configuration:

xpack:
  security:
    authc:
      realms:
        cloud-saml: 
          type: saml
          order: 2
          attributes.principal: "nameid:Persistent" 
          attributes.groups: "groups" 
          idp.metadata.path: "https://login.microsoftonline.com/...../federationmetadata/2007-06/federationmetadata.xml?appid=...." 
          idp.entity_id: "https://sts.windows.net/...../" 
          sp.entity_id: "https://KIBANA.....eu-west-1.aws.found.io:9243/" 
          sp.acs: "https://KIBANA......eu-west-1.aws.found.io:9243/api/security/v1/saml"
          sp.logout: "https://KIBANA.....eu-west-1.aws.found.io:9243/logout"

Kibana Configuration:

xpack.security.authProviders: [saml, basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.public:
  protocol: https
  hostname: ......eu-west-1.aws.found.io
  port: 9243

Azure AD SAML Token attribute:
Name - role
Value-user.assignedroles
Namespace-http://schemas.xmlsoap.org/ws/2005/05/identity/claims

I have added user in Azure Enterprise app console.

Can you please advice on this?

Many thanks

  • Vishal

See point 4 in https://www.elastic.co/guide/en/elastic-stack-overview/6.7/trb-security-saml.html . You'd need to check your Elasticserach logs to see why this failed.

I can already see a few things that are wrong with your config but let's get the logs first and see what fails.

attributes.principal: "nameid:Persistent" 

The value of this synthetic attribute name is nameid:persistent , not nameid:Persistent, this is case sensitive. You'd need to also configure Azure AD to release a NameID with persistent format, in order for this mapping to work. Please also read the docs on what this mapping means, it's in the configuration guide I shared in my previous post

attributes.groups: "groups" 

This is almost certainly misconfigured too. There is no "groups" attribute that Azure AD releases, you need to check your Azure AD configuration, see what attributes are released and which one of them carries the group information and use that in place of "groups" here to be mapped to attributes.groups.

I see that you use our cloud service. Additional to the links I have shared above, I suggest you read the information in the cloud specific docs in https://www.elastic.co/guide/en/cloud/current/ec-securing-clusters-SAML.html.

Hi @ikakavas,
Thanks for your inputs.
I have gone through the docs you mentioned and tried updating attributes.principal however either I'm not able to understand the concept or there something really confusing.
Still issue is not resolved :frowning_face:

attaching debug logs for reference:

[instance-0000000013] path: /_xpack/security/saml/authenticate, params: {} org.elasticsearch.ElasticsearchSecurityException: unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate] at org.elasticsearch.xpack.core.security.support.Exceptions.authenticationError(Exceptions.java:18) ~[x-pack-core-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.core.security.authc.DefaultAuthenticationFailureHandler.createAuthenticationError(DefaultAuthenticationFailureHandler.java:163) ~[x-pack-core-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.core.security.authc.DefaultAuthenticationFailureHandler.failedAuthentication(DefaultAuthenticationFailureHandler.java:97) ~[x-pack-core-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.AuthenticationService$AuditableTransportRequest.authenticationFailed(AuthenticationService.java:644) ~[x-pack-security-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.consumeUser(AuthenticationService.java:487) ~[x-pack-security-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$16(AuthenticationService.java:402) ~[x-pack-security-6.7.0.jar:6.7.0] at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:61) ~[elasticsearch-6.7.0.jar:6.7.0] at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:43) ~[elasticsearch-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.core.common.IteratingActionListener.onResponse(IteratingActionListener.java:115) ~[x-pack-core-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$13(AuthenticationService.java:386) ~[x-pack-security-6.7.0.jar:6.7.0] at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:61) ~[elasticsearch-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.saml.SamlRealm.buildUser(SamlRealm.java:424) ~[x-pack-security-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.saml.SamlRealm.authenticate(SamlRealm.java:406) ~[x-pack-security-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$15(AuthenticationService.java:363) ~[x-pack-security-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.core.common.IteratingActionListener.onResponse(IteratingActionListener.java:117) ~[x-pack-core-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$15(AuthenticationService.java:396) ~[x-pack-security-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.core.common.IteratingActionListener.onResponse(IteratingActionListener.java:117) ~[x-pack-core-6.7.0.jar:6.7.0] at org.elasticsearch.xpack.security.authc.AuthenticationService$Authenticator.lambda$consumeToken$15(AuthenticationService.java:396) ~[x-pack-security-6.7.0.jar:6.7.0]

If you can suggest what changes I need to perform on both the end it would be really helpfull.

thanks

The error is still the same, and as I shared with you above in our documentation the reason is probably further down in the same logs.

I'd suggest you'd better consult your support engineer on this as there is no easy way to setup this without you taking care of the Azure AD side and I have very limited experience with it. For example you need to know what NameID format is the Azure AD SAML IDP sending in their SAML Responses before we can suggest you how to configure Elasticsearch realm to map it to attributes.principal .

Going through support will ensure that you can share logs and information about your Azure AD environment and we can better assist you setting this up

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.