Azure AD SAML auth - 403 - Forbidden

OJA · June 14, 2019, 7:12pm

Hi, (oh wow, sorry, I obviously don't understand how to use the </> tag..)

Spent a few hours configuring and reading the documentation, and I'm getting very close to completing the setup (I feel).
But I need some help with the final sprint.

This is on a new single Elastic/Kibana cloud deployment.

The error I'm now getting after authenticating to Kibana is:
|statusCode|403|
|---|---|
|error|"Forbidden"|
|message|"Forbidden"|

Elastic config:
xpack:
security:
authc:
realms:
saml:
cloud-saml:
order: 2
attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
idp.metadata.path: "https://login.microsoftonline.com/REMOVED/federationmetadata/2007-06/federationmetadata.xml?appid=REMOVED"
idp.entity_id: "https://sts.windows.net/REMOVED/"
sp.entity_id: "https://REMOVED.eu-west-1.aws.found.io:9243/"
sp.acs: "https://REMOVED.eu-west-1.aws.found.io:9243/api/security/v1/saml"
sp.logout: "https://REMOVED.eu-west-1.aws.found.io:9243/logout"

Kibana config:
xpack.security.authProviders: [saml, basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.public:
protocol: https
hostname: REMOVED.eu-west-1.aws.found.io
port: 9243

Azure Enterprise app config:
Identifier (Entity ID) - https://REMOVED.eu-west-1.aws.found.io:9243/

Reply URL (Assertion Consumer Service URL) - https://REMOVED.eu-west-1.aws.found.io:9243/api/security/v1/saml

Added claim:
http://schemas.microsoft.com/ws/2008/06/identity/claims/role - user.assignedroles

Azure Application Registration Manifest config:
{
"allowedMemberTypes": [
"User"
],
"displayName": "Superuser",
"id": "REMOVED",
"isEnabled": true,
"description": "Superuser with administrator access",
"value": "superuser"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Kibana User",
"displayName": "Kibana User",
"id": "REMOVED",
"isEnabled": true,
"value": "kibana_user"
}

The application validation in Azure succeeds, and I can see the role is included in the SAML response.
But Elastic does not seem to agree, or is misconfigured somewhere.

Any ideas, or obvious issues here?

OJA · June 15, 2019, 9:22pm

Solved it.
Had ignored the part about role mapping via API.

For reference if this happens to a future person: https://www.elastic.co/guide/en/elastic-stack-overview/current/saml-role-mapping.html

system · July 13, 2019, 9:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Azure AD Kibana Kibana elastic-stack-security	2	435	December 2, 2019
Forbidden error when connnecting after setting up SAML on Elastic Cloud Elasticsearch elastic-stack-security	9	2327	June 23, 2020
Elasticsearch, SAML configuration, help required Elasticsearch elastic-stack-security	8	1082	March 17, 2020
Unable to enable saml for cloud deployment with Azure Kibana elastic-stack-security	6	329	January 11, 2023
Kibana SAML authentication error Kibana	6	1560	June 27, 2019

Azure AD SAML auth - 403 - Forbidden

Related topics