Basic Users when SAML Enabled

Hi I am having issues getting a non reserved basic user to work with SAML SSO enabled. I have created a logstash_internal user for logstash to use in output.

I am not able to authenticate with this user, or any other i create with superuser role, (for testing of course)
However if i set the user to be elastic , logstash works with no issues.

Further testing I then realise i can not log on either to Kibana using a created basic user, but i can if i use the reserved elastic user

SSO is working as expected i can redirect to Azure and back to kibana once authenticated.

Is this expected behaviour?
Identity provider is Azure AAD SSO

i am using elastic docker containers (https://www.docker.elastic.co/#) . v6.7.1

Can you please show us the configuration ? My guess is that you enabled the SAML realm in elasticsearch without explicitly also enabling the native realm, which disables the native realm and means that users can login only via SAML.

We explain this in our docs:

The native realm is available by default when no other realms are configured. If other realm settings have been configured in elasticsearch.yml , you must add the native realm to the realm chain.

The elastic user is a built-in user and as such not affected by the native realm being disabled.

In summary, you need to explicitly enable the native realm in elasticsearch's configuration, details are in the link to the documentation I shared above.

Hope this helps

Hi Ioannis

Yes you guessed correct, i only have the saml realm in y config

xpack.security.authc.realms.saml_aad:
  type: saml
  order: 2
  idp.metadata.path: /usr/share/elasticsearch/config/saml/elasticsearch.xml
  idp.entity_id: "https://sts.windows.net/xxxxxxxxxx/"
  sp.entity_id:  "https://myesdomain.com:5601/"
  sp.acs: "https://myesdomain.com:5601/api/security/v1/saml"
  sp.logout: "https://myesdomain.com5601/logout"
  attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  attributes.name: "http://schemas.microsoft.com/identity/claims/displayname"
  attributes.mail: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"

So, adding the snippet

xpack.security.authc.realms.native1:
  type: native
  order: 0

right above what you have, will solve your issue

Hi Ioannis

that did the trick

thanks for help

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.