Azure AD SAML auth - 403 - Forbidden

Elastic Stack Elasticsearch
1

Hi, (oh wow, sorry, I obviously don't understand how to use the </> tag..)

Spent a few hours configuring and reading the documentation, and I'm getting very close to completing the setup (I feel).
But I need some help with the final sprint.

This is on a new single Elastic/Kibana cloud deployment.

The error I'm now getting after authenticating to Kibana is:
|statusCode|403|
|---|---|
|error|"Forbidden"|
|message|"Forbidden"|

Elastic config:
xpack:
security:
authc:
realms:
saml:
cloud-saml:
order: 2
attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
idp.metadata.path: "https://login.microsoftonline.com/REMOVED/federationmetadata/2007-06/federationmetadata.xml?appid=REMOVED"
idp.entity_id: "https://sts.windows.net/REMOVED/"
sp.entity_id: "https://REMOVED.eu-west-1.aws.found.io:9243/"
sp.acs: "https://REMOVED.eu-west-1.aws.found.io:9243/api/security/v1/saml"
sp.logout: "https://REMOVED.eu-west-1.aws.found.io:9243/logout"

Kibana config:
xpack.security.authProviders: [saml, basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.public:
protocol: https
hostname: REMOVED.eu-west-1.aws.found.io
port: 9243

Azure Enterprise app config:
Identifier (Entity ID) - https://REMOVED.eu-west-1.aws.found.io:9243/

Reply URL (Assertion Consumer Service URL) - https://REMOVED.eu-west-1.aws.found.io:9243/api/security/v1/saml

Added claim:
http://schemas.microsoft.com/ws/2008/06/identity/claims/role - user.assignedroles

Azure Application Registration Manifest config:
{
"allowedMemberTypes": [
"User"
],
"displayName": "Superuser",
"id": "REMOVED",
"isEnabled": true,
"description": "Superuser with administrator access",
"value": "superuser"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Kibana User",
"displayName": "Kibana User",
"id": "REMOVED",
"isEnabled": true,
"value": "kibana_user"
}

The application validation in Azure succeeds, and I can see the role is included in the SAML response.
But Elastic does not seem to agree, or is misconfigured somewhere.

Any ideas, or obvious issues here?

2

Solved it.
Had ignored the part about role mapping via API.

For reference if this happens to a future person: https://www.elastic.co/guide/en/elastic-stack-overview/current/saml-role-mapping.html

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.