Cluster SAML integration

Hello,

I am trying to setup an ECE cluster security with SAML.
This is what I put into the settings_overrides for the data nodes:

xpack.security.authc.token.enabled: true
xpack.security.authc.realms.saml.saml1:
  order: 2
  idp.metadata.path: "https://xxx_metadata.xml"
  idp.entity_id: "https://xxx.com"
  sp.entity_id:  "xxx.com"
  sp.acs: "https://xxx:443/api/security/v1/saml"
  sp.logout: "https://xxx.com/logout"
  attributes.principal: "Principal"
  attributes.groups: "Groups"

And this is what I set for the kibana settings_overrides:

xpack.security.authProviders: [saml, basic]
server.xsrf.whitelist: [/api/security/v1/saml]

Kibana never provisions when I add the aforementioned settings.

The error I see in the logs is this:

ERROR [kibana] elastic/elastic.go:117 error making http request: Get https://xxxx:18674/api/status: dial tcp xxxx:18674: connect: connection refused

I can't find any info about the port 18674...

Also I'm not sure if the elasticsearch configuration goes in the data node or master node.

Thanks.

The ES configuration should go in both (sorry about that, we're working on making the configuration of multi-topology clusters more intuitive)

Per the SAML docs (Secure your clusters with SAML | Elastic Cloud Enterprise Reference [2.12] | Elastic) the Kibana config is missing (eg):

xpack.security.public:
  protocol: https
  hostname: d1a45bf330b74c248d7cc2e0ead8e159.192.168.44.10.ip.es.io 
  port: 9243

(seems like your hostname would be xxx.com)

Are those your client logs? I don't recognize that logging format. Seems plausible that it would be explained by the missing xpack.security.public

Note you might also need the trailing / on this:

sp.entity_id: "KIBANA_ENDPOINT_URL/"
1 Like

Thanks @Alex_Piggott, I'm trying that now.

Adding the xpack.security.public seems to have done it, thanks @Alex_Piggott.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.