Cannot find metadata for entity [...] in SAML xml despite it being there

Wolfie_Venturi · May 29, 2019, 3:12pm

Hello,

We have been trying to implement SAML authentication on our ELK stack. The kibana version is 6.7.

Despite following the SAML configurations guide and double checking values we are encountering the following issue:

The xml has been acquired from an Enterprise Application that is enabled for SAML single-sign on in our Azure environment.

Google doesn't provide many answers.

Any solutions or information would be greatly appreciated.

                ... 6 more
        Caused by: org.elasticsearch.ElasticsearchSecurityException: Cannot find metadata for entity [https://sts.windows.net/2371b655-962f-
                at org.elasticsearch.xpack.security.authc.saml.SamlUtils.samlException(SamlUtils.java:105) ~[?:?]
                at org.elasticsearch.xpack.security.authc.saml.SamlRealm.resolveEntityDescriptor(SamlRealm.java:609) ~[?:?]
                at org.elasticsearch.xpack.security.authc.saml.SamlRealm.lambda$parseFileSystemMetadata$10(SamlRealm.java:601) ~[?:?]
                at org.elasticsearch.xpack.security.authc.saml.SamlRealm.getIdpConfiguration(SamlRealm.java:274) ~[?:?]
                at org.elasticsearch.xpack.security.authc.saml.SamlRealm.create(SamlRealm.java:199) ~[?:?]
                at org.elasticsearch.xpack.security.authc.InternalRealms.lambda$getFactories$5(InternalRealms.java:106) ~[?:?]
                at org.elasticsearch.xpack.security.authc.Realms.initRealms(Realms.java:192) ~[?:?]
                at org.elasticsearch.xpack.security.authc.Realms.<init>(Realms.java:69) ~[?:?]
                at org.elasticsearch.xpack.security.Security.createComponents(Security.java:485) ~[?:?]
                at org.elasticsearch.xpack.security.Security.createComponents(Security.java:414) ~[?:?]
                at org.elasticsearch.node.Node.lambda$new$11(Node.java:472) ~[elasticsearch-6.7.0.jar:6.7.0]
                at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:267) ~[?:1.8.0_212]
                at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1382) ~[?:1.8.0_212]
                at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:482) ~[?:1.8.0_212]
                at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472) ~[?:1.8.0_212]
                at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) ~[?:1.8.0_212]
                at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_212]
                at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) ~[?:1.8.0_212]
                at org.elasticsearch.node.Node.<init>(Node.java:475) ~[elasticsearch-6.7.0.jar:6.7.0]
                at org.elasticsearch.node.Node.<init>(Node.java:266) ~[elasticsearch-6.7.0.jar:6.7.0]
                at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:212) ~[elasticsearch-6.7.0.jar:6.7.0]
                at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:212) ~[elasticsearch-6.7.0.jar:6.7.0]
                at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:333) ~[elasticsearch-6.7.0.jar:6.7.0]
                at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) ~[elasticsearch-6.7.0.jar:6.7.0]

ikakavas · May 29, 2019, 9:15pm

Can you please share your saml realm configuration from elasticsearch.yml and the metadata file?

Aldo please take s look at number 3 here : https://www.elastic.co/guide/en/elastic-stack-overview/current/trb-security-saml.html

Finally, this line seems truncated

Caused by: org.elasticsearch.ElasticsearchSecurityException: Cannot find metadata for entity [https://sts.windows.net/2371b655-962f-

Is it like this in your log or was this truncated on copy paste?

Wolfie_Venturi · May 31, 2019, 7:49am

The saml-metadata.xml is located in the /etc/elasticsearch, same folder as elasticsearch.yml.
the line is only truncated in the copy/paste, i have obfuscated it here as well as include a "mydomain" alias in place of our actual dns. We've tried step 3 on the common issues aswell to no avail.

 xpack.security.authc.realms.saml1:
      type: saml
      order: 2
      idp.metadata.path: saml-metadata.xml
      idp.entity_id: "https://sts.windows.net/237####################"
      sp.entity_id:  "https://mydomain.cloudapp.azure.com:5601"
      sp.acs: "https://mydomain.cloudapp.azure.com:5601/api/security/v1/saml"
      sp.logout: "https://mydomain.westeurope.cloudapp.azure.com:5601/logout"
      attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"

ikakavas · June 3, 2019, 4:40pm

Can you clarify what you have tried ? Is there an <EntityDescriptor ... entityID="your value here"> in the metadata of the Identity Provider ? Is it exactly the same String as the one you have configured in idp.entity_id: ?

forloop · June 4, 2019, 1:40am

Have you tried making this an absolute path i.e.

idp.metadata.path: /etc/elasticsearch/saml-metadata.xml

Also, does the elasticsearch user have necessary permissions to read this file?

Wolfie_Venturi · June 4, 2019, 9:15am

We solved the issue.

It turns out there was a trailing "/" in the metadata file for the entityID value that we did not include in our SAML realm config.

So it was not an exact match.

Thanks for the help.

system · July 2, 2019, 9:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.