Config validation of [xpack.security].authc.providers

I am trying to setup SSO authentication with Azure AD.

elasticsearch.yml: |
    cluster.name: dev-observability
    network.host: "0.0.0.0"
    bootstrap.memory_lock: false
    discovery.zen.ping.unicast.hosts: es-cluster-discovery.dev-elastic-system.svc.cluster.local
    discovery.zen.minimum_master_nodes: 2
    cluster.initial_master_nodes: es-cluster-0, es-cluster-1, es-cluster-2
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/elastic-certificates.p12 
    xpack.monitoring.enabled: true
    xpack.license.self_generated.type: basic
    xpack.ml.enabled: false
    xpack.watcher.enabled: false

    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/http.p12
    xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/http.p12
    xpack.security.authc.realms.saml.saml1:
      order: 2
      idp.metadata.path: /usr/share/elasticsearch/config/idp-metadata.xml
      idp.entity_id: xxx
      sp.entity_id: xxx
      sp.acs: xxx
      sp.logout: xxx
      attributes.principal: urn:oid:0.9.2342.19200300.100.1.1
      attributes.groups: urn:oid:1.3.6.1.4.1.5923.1.5.1.

    node:
      master: true
      data: true
      ingest: true
kibana.yml: |
    server.host: "0.0.0.0"
    elasticsearch.ssl.certificateAuthorities: /usr/share/kibana/elasticsearch-ca.pem
    xpack.security.authc.providers:
      saml.saml1:
      order: 0
      realm: saml1

And this is the error that I get from the Kibana logs:

{"type":"log","@timestamp":"2021-08-23T16:20:38Z","tags":["fatal","root"],"pid":7,"message":"{ Error: [config validation of [xpack.security].authc.providers]: expected value of type [array] but got [Object]\n    at ObjectType.call (/usr/share/kibana/node_modules/@kbn/config-schema/target/out/types/type.js:59:19)\n    at ObjectType.ConfigSchema.validate (/usr/share/kibana/x-pack/plugins/security/server/config.js:90:23)\n    at ConfigService.validateAtPath (/usr/share/kibana/src/core/server/config/config_service.js:188:19)\n    at MapSubscriber.getDistinctConfig.pipe.config [as project] (/usr/share/kibana/src/core/server/config/config_service.js:196:81)\n    at MapSubscriber._next (/usr/share/kibana/node_modules/rxjs/internal/operators/map.js:49:35)\n    at MapSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/internal/Subscriber.js:66:18)\n    at DistinctUntilChangedSubscriber._next (/usr/share/kibana/node_modules/rxjs/internal/operators/distinctUntilChanged.js:69:30)\n    at DistinctUntilChangedSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/internal/Subscriber.js:66:18)\n    at MapSubscriber._next (/usr/share/kibana/node_modules/rxjs/internal/operators/map.js:55:26)\n    at MapSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/internal/Subscriber.js:66:18)\n    at ReplaySubject._subscribe (/usr/share/kibana/node_modules/rxjs/internal/ReplaySubject.js:76:28)\n    at ReplaySubject.Observable._trySubscribe (/usr/share/kibana/node_modules/rxjs/internal/Observable.js:44:25)\n    at ReplaySubject.Subject._trySubscribe (/usr/share/kibana/node_modules/rxjs/internal/Subject.js:102:51)\n    at ReplaySubject.Observable.subscribe (/usr/share/kibana/node_modules/rxjs/internal/Observable.js:30:22)\n    at MapSubscriber.shareReplayOperation (/usr/share/kibana/node_modules/rxjs/internal/operators/shareReplay.js:44:32)\n    at Observable.subscribe (/usr/share/kibana/node_modules/rxjs/internal/Observable.js:25:31)\n  cause:\n   { Error: expected value of type [array] but got [Object]\n       at ArrayType.onError (/usr/share/kibana/node_modules/@kbn/config-schema/target/out/types/type.js:84:20)\n       at type.Type.schema.error (/usr/share/kibana/node_modules/@kbn/config-schema/target/out/types/type.js:49:53)\n       at finish (/usr/share/kibana/node_modules/joi/lib/types/any/index.js:529:50)\n       at type._validate (/usr/share/kibana/node_modules/joi/lib/types/any/index.js:557:24)\n       at type._base (/usr/share/kibana/node_modules/joi/lib/types/object/index.js:212:45)\n       at type._validate (/usr/share/kibana/node_modules/joi/lib/types/any/index.js:614:37)\n       at type._base (/usr/share/kibana/node_modules/joi/lib/types/object/index.js:212:45)\n       at type._validate (/usr/share/kibana/node_modules/joi/lib/types/any/index.js:614:37)\n       at type._validateWithOptions (/usr/share/kibana/node_modules/joi/lib/types/any/index.js:674:29)\n       at module.exports.internals.Any.root.validate (/usr/share/kibana/node_modules/joi/lib/index.js:146:23)\n       at ObjectType.call (/usr/share/kibana/node_modules/@kbn/config-schema/target/out/types/type.js:54:72)\n       at ObjectType.ConfigSchema.validate (/usr/share/kibana/x-pack/plugins/security/server/config.js:90:23)\n       at ConfigService.validateAtPath (/usr/share/kibana/src/core/server/config/config_service.js:188:19)\n       at MapSubscriber.getDistinctConfig.pipe.config [as project] (/usr/share/kibana/src/core/server/config/config_service.js:196:81)\n       at MapSubscriber._next (/usr/share/kibana/node_modules/rxjs/internal/operators/map.js:49:35)\n       at MapSubscriber.Subscriber.next (/usr/share/kibana/node_modules/rxjs/internal/Subscriber.js:66:18) cause: undefined, path: [ 'authc', 'providers' ] } }"}

 FATAL  Error: [config validation of [xpack.security].authc.providers]: expected value of type [array] but got [Object]

ES and Kibana version is 7.6.1. Any ideas why this is the case? I've been following this guide: Configuring SAML single-sign-on on the Elastic Stack | Elasticsearch Guide [7.14] | Elastic

Note that if I remove xpack.security.authc.realms.saml.saml1 attributes in elasticearch.yml and xpack.security.authc.providers attributes in kibana.yml, the setup works.

Hi @etrpchevska

Looks like you're looking at the docs for 7.14, but trying to use 7.6. It appears some of the configuration has changed between these two versions. Here are the 7.6 Docs for setting up Kibana to use SAML.

Perhaps the Elasticsearch config changed as well, so here's a link to the ES Docs as well.

Hopefully, following these guides will resolve your issues.

1 Like

Yes, that worked. Thank you for the answer!