Azure AD SSO setting behind a proxy not working


I am trying to integrate Azure AD to Elasticsearch cluster behind a proxy. I tried the proxy parameter settings below but could not succeeded. You can find the log behind that post. It say it cannot access to but as we diagnose it is not trying over proxy setting. It is trying directly to Azure IP. If I try to ping that domain it is going over proxy. Elasticsearch is not trying that connectivity over proxy.

How I can force that to use proxy.

tested - not working:

sudo systemctl edit --full elastic-agent.service



tested - notworking :

tested - not working :

elastic+   13870  0.3  1.2 2541748 104148 ?      Ssl  20:24   0:03 /usr/share/elasticsearch/jdk/bin/java -Xms4m -Xmx64m -XX:+UseSerialGC -**Dhttps.proxyPort=3218 -Dhttps.proxyHost=PROXY_IP** -Dcli.script=/usr/share/elasticsearch/bin/elasticsearch -Dcli.libs=lib/tools/server-cli -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/etc/elasticsearch -Des.distribution.type=deb -cp /usr/share/elasticsearch/lib/*:/usr/share/elasticsearch/lib/cli-launcher/* org.elasticsearch.launcher.CliToolLauncher -p /var/run/elasticsearch/ --quiet
23-11-07T20:08:45,218][DEBUG][o.e.x.s.a.s.SamlRealm    ] [AZLPELKSEARCH] Initializing OpenSAML
[2023-11-07T20:08:45,734][TRACE][o.e.x.t.t.s.TransformScheduler] [AZLPELKSEARCH] Processing scheduled tasks started
[2023-11-07T20:08:45,735][TRACE][o.e.x.t.t.s.TransformScheduler] [AZLPELKSEARCH] Looking for scheduled tasks to process finished, took 0ms
[2023-11-07T20:08:46,032][DEBUG][o.e.x.s.a.s.SamlRealm    ] [AZLPELKSEARCH] Initialized OpenSAML
[2023-11-07T20:08:46,036][DEBUG][o.e.x.c.s.SSLService     ] [AZLPELKSEARCH] SSL configuration [] is [SslConfiguration[settingPrefix=, explicitlyConfigured=false, trustConfig=JDK-trusted-certs, keyConfig=empty-key-config, verificationMode=FULL, clientAuth=REQUIRED, ciphers=[TLS_AES_256_GCM_SHA384, TLS_AES_128_GCM_SHA256, TLS_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA], supportedProtocols=[TLSv1.3, TLSv1.2, TLSv1.1]]]
[2023-11-07T20:08:46,107][DEBUG][o.a.h.c.p.RequestAddCookies] [AZLPELKSEARCH] CookieSpec selected: default
[2023-11-07T20:08:46,112][DEBUG][o.a.h.c.p.RequestAuthCache] [AZLPELKSEARCH] Auth cache not set in the context
[2023-11-07T20:08:46,113][DEBUG][o.a.h.i.c.PoolingHttpClientConnectionManager] [AZLPELKSEARCH] Connection request: [route: {s}->][total available: 0; route allocated: 0 of 2; total allocated: 0 of 20]
[2023-11-07T20:08:46,122][DEBUG][o.a.h.i.c.PoolingHttpClientConnectionManager] [AZLPELKSEARCH] Connection leased: [id: 0][route: {s}->][total available: 0; route allocated: 1 of 2; total allocated: 1 of 20]
[2023-11-07T20:08:46,123][DEBUG][o.a.h.i.e.MainClientExec ] [AZLPELKSEARCH] Opening connection {s}->
[2023-11-07T20:08:46,130][DEBUG][o.a.h.i.c.DefaultHttpClientConnectionOperator] [AZLPELKSEARCH] Connecting to
[2023-11-07T20:08:46,130][DEBUG][o.a.h.c.s.SSLConnectionSocketFactory] [AZLPELKSEARCH] Connecting socket to with timeout 0
[2023-11-07T20:08:46,736][TRACE][o.e.x.t.t.s.TransformScheduler] [AZLPELKSEARCH] Processing scheduled tasks started
[2023-11-07T20:08:46,736][TRACE][o.e.x.t.t.s.TransformScheduler] [AZLPELKSEARCH] Looking for scheduled tasks to process finished, took 0ms
[2023-11-07T20:08:47,736][TRACE][o.e.x.t.t.s.TransformScheduler] [AZLPELKSEARCH] Processing scheduled tasks started
[2023-11-07T20:08:47,737][TRACE][o.e.x.t.t.s.TransformScheduler] [AZLPELKSEARCH] Looking for scheduled tasks to process finished, took 0ms
[2023-11-07T20:08:47,999][TRACE][o.e.i.IndexingMemoryController] [AZLPELKSEARCH] total indexing heap bytes used [0b] vs indices.mem

after some tim it is getting timeout and network unreachable errors.

[2023-11-03T13:35:19,218][INFO ][o.a.h.i.e.RetryExec ] [AZLPELKSEARCH] I/O exception ( caught when processing request to {s}-> Network is unreachable
[2023-11-03T13:35:19,218][INFO ][o.a.h.i.e.RetryExec ] [AZLPELKSEARCH] Retrying request to {s}->[](

This would not work as these are the steps for Elastic Agent, not Elasticsearch.

Since you are trying to configure SSO with Azure AD, which is a paid feature, I suggest that you open a ticket with Support, I'm not sure that configuring this behind a proxy is supported.

In this case, it is not supported.

It looks like you're trying to load SAML metadata over https, and we do not have proxy support for that.
Our recommendation in this case is to point the realm to a local file instead and have an external process that downloads the file as needed.

If you raise a ticket with support they can register your interest in having proxy support for this.

1 Like

What do you meen with that? If I use it from local how it will be fixing the access problem to

Thanks for solution.

The problem was proxy and we enabled it, also as you said if we point the federation.xml to a local file it doesn't need to use network.

idp.metadata.path: /local/federation.xml

I created an issue for that. It is not working behind a proxy.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.