Basic Users when SAML Enabled

shaunm · May 23, 2019, 12:20pm

Hi I am having issues getting a non reserved basic user to work with SAML SSO enabled. I have created a logstash_internal user for logstash to use in output.

I am not able to authenticate with this user, or any other i create with superuser role, (for testing of course)
However if i set the user to be elastic , logstash works with no issues.

Further testing I then realise i can not log on either to Kibana using a created basic user, but i can if i use the reserved elastic user

SSO is working as expected i can redirect to Azure and back to kibana once authenticated.

Is this expected behaviour?
Identity provider is Azure AAD SSO

shaunm · May 23, 2019, 12:23pm

i am using elastic docker containers (https://www.docker.elastic.co/#) . v6.7.1

ikakavas · May 23, 2019, 9:01pm

Can you please show us the configuration ? My guess is that you enabled the SAML realm in elasticsearch without explicitly also enabling the native realm, which disables the native realm and means that users can login only via SAML.

We explain this in our docs:

The native realm is available by default when no other realms are configured. If other realm settings have been configured in elasticsearch.yml , you must add the native realm to the realm chain.

The elastic user is a built-in user and as such not affected by the native realm being disabled.

In summary, you need to explicitly enable the native realm in elasticsearch's configuration, details are in the link to the documentation I shared above.

Hope this helps

shaunm · May 23, 2019, 9:22pm

Hi Ioannis

Yes you guessed correct, i only have the saml realm in y config

xpack.security.authc.realms.saml_aad:
  type: saml
  order: 2
  idp.metadata.path: /usr/share/elasticsearch/config/saml/elasticsearch.xml
  idp.entity_id: "https://sts.windows.net/xxxxxxxxxx/"
  sp.entity_id:  "https://myesdomain.com:5601/"
  sp.acs: "https://myesdomain.com:5601/api/security/v1/saml"
  sp.logout: "https://myesdomain.com5601/logout"
  attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
  attributes.name: "http://schemas.microsoft.com/identity/claims/displayname"
  attributes.mail: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"

ikakavas · May 24, 2019, 7:36am

So, adding the snippet

xpack.security.authc.realms.native1:
  type: native
  order: 0

right above what you have, will solve your issue

shaunm · May 28, 2019, 4:48pm

Hi Ioannis

that did the trick

thanks for help

system · June 25, 2019, 4:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Azure Active directory, SAML authentication Elasticsearch elastic-stack-security	6	2538	May 10, 2019
Super user Role not working for SAML users Kibana	5	654	November 22, 2018
SAML configuration - Azure Active Directory Elasticsearch	4	1759	June 20, 2019
Authentication problem after setting up native realm Elasticsearch	3	4785	January 18, 2018
SAML & Kibana Kibana elastic-stack-security	7	329	December 4, 2020

Basic Users when SAML Enabled

Related topics