Elastic Cloud can't login with AWS SSO

Robin_Guo · March 19, 2019, 9:31am

Dear Elastic,
Those 2 days I've been fighting with Elastic Cloud auth with AWS SSO,
But It doesn't work, I don't know what am I missing about configuration on Elastic Cloud or AWS SSO.

Could someone help me out?

Regards
Robin

Detailed configuration as below:

Elastic config:

xpack:
  security:
    authc:
      realms:
        cloud-saml: 
          type: saml
          order: 2
          attributes.principal: "nameid:persistent" 
          attributes.groups: "groups" 
          idp.metadata.path: "https://portal.sso.us-east-1.amazonaws.com/saml/metadata/XXXXXXXXXXXXXXXXXXXX" 
          idp.entity_id: "https://portal.sso.us-east-1.amazonaws.com/saml/assertion/XXXXXXXXXXXXXXXXXXXX" 
          sp.entity_id: "https://YYYYYYYYYYYYYYYYY.eu-west-1.aws.found.io:9243"
          sp.acs: "https://YYYYYYYYYYYYYYYYY.eu-west-1.aws.found.io:9243/api/security/v1/saml"
          sp.logout: "https://YYYYYYYYYYYYYYYYY.eu-west-1.aws.found.io:9243/logout"

Kibana config:

xpack.security.authProviders: [saml,basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.public:
  protocol: https
  hostname: XXXXXXXXXXXXXXXXXXXX.eu-west-1.aws.found.io 
  port: 9243

Create a role mapping:

POST /_xpack/security/role_mapping/CLOUD_SAML_TO_KIBANAUSER 
{
   "enabled": true,
    "roles": [ "kibana_user" ], 
    "rules": { 
        "field": { "realm.name": "cloud-saml" } 
    },
    "metadata": { "version": 1 }
}


          
POST /_xpack/security/role_mapping/CLOUD_SAML_ELASTICADMIN_TO_SUPERUSER 
{
   "enabled": true,
    "roles": [ "superuser" ], 
    "rules": { "all" : [ 
        { "field": { "realm.name": "cloud-saml" } }, 
        { "field": { "groups": "gu.system" } }
    ]},
    "metadata": { "version": 1 }
}

AWS SSO :

Login Test:

ikakavas · March 20, 2019, 7:50am

Hi there,

Please don't post images of text as they are hard to read, may not display correctly for everyone, and not searchable. It's fine to post screenshots to further highlight your issues but do add details in text too.

The error message that AWS SSO gives you is

"Request NameID Format doesn't match our record"

This implies that the Elastic Stack sends a SAML Authentication Request with a NameIDPolicy Format that AWS SSO doesn't like. As you can see in our docs :

 nameid_format
    The NameID format that should be requested when asking the IdP to authenticate the current user. Defaults to requesting transient names (urn:oasis:names:tc:SAML:2.0:nameid-format:transient).

this defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient. Given the fact that you want to use persistent NameIDs , as I can see from the rest of the configuration and you have configured AWS SSO accordingly too, what you'd need to do is to configure the Elastic Stack SAML SP to also request that format. To do so , add

nameid_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

in your cloud-saml configuration in the Elasticsearch config.

Hope this helps

Robin_Guo · March 20, 2019, 10:59am

Hi @ikakavas,

When I follow your instructions to add that statement in Elastic configuration. It doesn't work.

xpack:
  security:
    authc:
      realms:
        cloud-saml: 
          type: saml
          order: 2
          nameid_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
          attributes.principal: "nameid:persistent" 
          attributes.groups: "groups" 
          idp.metadata.path: "https://portal.sso.us-east-1.amazonaws.com/saml/metadata/MjU5ODM4MjAwNjIxX2lucy0xMzRlYzQ5YjUwOWM0Y2Y3" 
          idp.entity_id: "https://portal.sso.us-east-1.amazonaws.com/saml/assertion/MjU5ODM4MjAwNjIxX2lucy0xMzRlYzQ5YjUwOWM0Y2Y3" 
          sp.entity_id: "https://6a9c147de13c44e5b93df78382758dfe.eu-west-1.aws.found.io:9243"
          sp.acs: "https://6a9c147de13c44e5b93df78382758dfe.eu-west-1.aws.found.io:9243/api/security/v1/saml"
          sp.logout: "https://6a9c147de13c44e5b93df78382758dfe.eu-west-1.aws.found.io:9243/logout"

After saving changes, I got this error:

AWS SSO IDP config:

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://portal.sso.us-east-1.amazonaws.com/saml/assertion/MjU5ODM4MjAwNjIxX2lucy0xMzRlYzQ5YjUwOWM0Y2Y3">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDAzCCAeugAwIBAgIBATANBgkqhkiG9w0BAQsFADBFMRYwFAYDVQQDDA1hbWF6b25hd3MuY29tMQ0wCwYDVQQLDARJREFTMQ8wDQYDVQQKDAZBbWF6b24xCzAJBgNVBAYTAlVTMB4XDTE5MDMxODA5MzYxNFoXDTI0MDMxODA5MzYxNFowRTEWMBQGA1UEAwwNYW1hem9uYXdzLmNvbTENMAsGA1UECwwESURBUzEPMA0GA1UECgwGQW1hem9uMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMB0eA5w3yrgSJoMOV5VFrBinuSPX8pHFvhWxXTptrMv35clA0E1LXf5I4rxA/6FHhgdH/sX1C8F9gck7ToAjEdSWzir7XlKH3JcuFcID/FLnYkCqX9YY5oANR4qTD9b8fJ9JIDmrtWOeSgHgvu4Z3DVe+fYlsF5JmkWRQvJGriSMYTLkV6YKbm9zyKShDkMGVF1kQQriHwXkhSDcTr0D3m2tTsPpDlZf7Ir1CsmkBMzC0OD6zvoCpC6rMk5q1FzV0ISBY3g6h/lf9mVrIefmHE8PfHJ8/1KxB01HDxAVkZweumxoqVqqdcZy4ZEWM1ByLxM0lJ63d89NSS4lC6kBGcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAmN1NN/jKoJuTsqrm72pL8mjCuZFZ6vpzg/imUFxtaR+O5UNQuBpxeCitPRBqvZjBKCWaOMb/sfDilk8QsmWmt2wBC0WIxetVPGYetweaA6eVZRoOA8nu9c3hXCOnI399RAyQ6ZvaCb+lyQ8soJx+VOp5XbSoeEfzr7eNKoHTAPYIMEtCrNfhC7QLhouywunqkOTWKI4MqIvq8F4Genw//eypNScATy4eKlTcb5o3A6vp5L5m0ch76d9YM0Py0eoGFdUMf2QK5GtMXWj/NKTutx27q7yV4Z16F0fgYxRHoOTR6/8XPTEyFU3J4zqy4jkNmC8ZoyCFhdCLAIGq/X/bgA==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.sso.us-east-1.amazonaws.com/saml/logout/MjU5ODM4MjAwNjIxX2lucy0xMzRlYzQ5YjUwOWM0Y2Y3"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://portal.sso.us-east-1.amazonaws.com/saml/logout/MjU5ODM4MjAwNjIxX2lucy0xMzRlYzQ5YjUwOWM0Y2Y3"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.sso.us-east-1.amazonaws.com/saml/assertion/MjU5ODM4MjAwNjIxX2lucy0xMzRlYzQ5YjUwOWM0Y2Y3"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://portal.sso.us-east-1.amazonaws.com/saml/assertion/MjU5ODM4MjAwNjIxX2lucy0xMzRlYzQ5YjUwOWM0Y2Y3"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

ikakavas · March 20, 2019, 11:48am

Hi,

Yes, apologies, I should have noted this is Elastic Cloud and as such this is currently not a whitelisted config value. Can you please engage with your support engineer? They will be able to apply this setting for your cluster - feel free to mention this post here, and I will provide them with additional details if needed.

Robin_Guo · March 24, 2019, 3:40pm

Hi @ikakavas

Yeah, The Kibana SSO login is working after Elastic Cloud help enable the below option on ElasticSearch settings.

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

There has a new issue found after we enabled Kibana SSO.

We can only see an attribute with subject on AWS Application SSO settings, Don't know if it's normal? when I logged on to Kibana with my AD account(robin.guo), It's not the username that what I logged on.

Could you please advise which attributes should we in place between elastic cloud and AWS SSO?

The default mappings between AWS SSO and Microsoft AD as following

User attribute in AWS SSO	Maps to this attribute in your Microsoft AD directory
AD_GUID	${dir:guid}
email	${dir:windowsUpn}
familyName	${dir:lastname}
givenName	${dir:firstname}
middleName	${dir:initials}
name	${dir:displayname}
preferredUsername	${dir:displayname}
subject	${dir:windowsUpn}

eg.

Attribute mappings

Kibana Login

ikakavas · March 26, 2019, 6:40am

You have configured AWS SSO to use the literal string "subject" as the value of the SAML NameID and then you have also configured Elasticsearch to map the value of SAML NameID to the principal user attribute in Elasticsearch. Thus, the principal user attribute in Elasticsearch gets the value "subject". This is all expected behavior based on your configuration.

You should probably want to change the literal sting "subject" in your AWS SSO config to something from the list you have shared above ( like the default value ${dir:windowsUpn} that will get the appropriate value from your AD

system · April 23, 2019, 6:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Azure AD Kibana Kibana elastic-stack-security	2	435	December 2, 2019
Elastic Cloud SAML SSO in 'trial' environment Elasticsearch elastic-stack-security	15	843	March 23, 2023
Google SAML 401 Elasticsearch elastic-stack-security	4	927	November 8, 2019
Jumpcloud.com saml integration Elasticsearch elastic-stack-security	2	1265	January 18, 2019
SAML with Onelogin Elasticsearch elastic-stack-security	6	1911	November 12, 2019

Elastic Cloud can't login with AWS SSO

Related topics