Elastic Cloud can't login with AWS SSO

Dear Elastic,
Those 2 days I've been fighting with Elastic Cloud auth with AWS SSO,
But It doesn't work, I don't know what am I missing about configuration on Elastic Cloud or AWS SSO.

Could someone help me out?

Regards
Robin

Detailed configuration as below:

Elastic config:

xpack:
  security:
    authc:
      realms:
        cloud-saml: 
          type: saml
          order: 2
          attributes.principal: "nameid:persistent" 
          attributes.groups: "groups" 
          idp.metadata.path: "https://portal.sso.us-east-1.amazonaws.com/saml/metadata/XXXXXXXXXXXXXXXXXXXX" 
          idp.entity_id: "https://portal.sso.us-east-1.amazonaws.com/saml/assertion/XXXXXXXXXXXXXXXXXXXX" 
          sp.entity_id: "https://YYYYYYYYYYYYYYYYY.eu-west-1.aws.found.io:9243"
          sp.acs: "https://YYYYYYYYYYYYYYYYY.eu-west-1.aws.found.io:9243/api/security/v1/saml"
          sp.logout: "https://YYYYYYYYYYYYYYYYY.eu-west-1.aws.found.io:9243/logout"  

Kibana config:

xpack.security.authProviders: [saml,basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.public:
  protocol: https
  hostname: XXXXXXXXXXXXXXXXXXXX.eu-west-1.aws.found.io 
  port: 9243   

Create a role mapping:

POST /_xpack/security/role_mapping/CLOUD_SAML_TO_KIBANAUSER 
{
   "enabled": true,
    "roles": [ "kibana_user" ], 
    "rules": { 
        "field": { "realm.name": "cloud-saml" } 
    },
    "metadata": { "version": 1 }
}


          
POST /_xpack/security/role_mapping/CLOUD_SAML_ELASTICADMIN_TO_SUPERUSER 
{
   "enabled": true,
    "roles": [ "superuser" ], 
    "rules": { "all" : [ 
        { "field": { "realm.name": "cloud-saml" } }, 
        { "field": { "groups": "gu.system" } }
    ]},
    "metadata": { "version": 1 }
}

AWS SSO :

Login Test:



Hi there,

Please don't post images of text as they are hard to read, may not display correctly for everyone, and not searchable. It's fine to post screenshots to further highlight your issues but do add details in text too.

The error message that AWS SSO gives you is

"Request NameID Format doesn't match our record"

This implies that the Elastic Stack sends a SAML Authentication Request with a NameIDPolicy Format that AWS SSO doesn't like. As you can see in our docs :

 nameid_format
    The NameID format that should be requested when asking the IdP to authenticate the current user. Defaults to requesting transient names (urn:oasis:names:tc:SAML:2.0:nameid-format:transient). 

this defaults to urn:oasis:names:tc:SAML:2.0:nameid-format:transient. Given the fact that you want to use persistent NameIDs , as I can see from the rest of the configuration and you have configured AWS SSO accordingly too, what you'd need to do is to configure the Elastic Stack SAML SP to also request that format. To do so , add

nameid_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

in your cloud-saml configuration in the Elasticsearch config.

Hope this helps

Hi @ikakavas,

When I follow your instructions to add that statement in Elastic configuration. It doesn't work.

xpack:
  security:
    authc:
      realms:
        cloud-saml: 
          type: saml
          order: 2
          nameid_format: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
          attributes.principal: "nameid:persistent" 
          attributes.groups: "groups" 
          idp.metadata.path: "https://portal.sso.us-east-1.amazonaws.com/saml/metadata/MjU5ODM4MjAwNjIxX2lucy0xMzRlYzQ5YjUwOWM0Y2Y3" 
          idp.entity_id: "https://portal.sso.us-east-1.amazonaws.com/saml/assertion/MjU5ODM4MjAwNjIxX2lucy0xMzRlYzQ5YjUwOWM0Y2Y3" 
          sp.entity_id: "https://6a9c147de13c44e5b93df78382758dfe.eu-west-1.aws.found.io:9243"
          sp.acs: "https://6a9c147de13c44e5b93df78382758dfe.eu-west-1.aws.found.io:9243/api/security/v1/saml"
          sp.logout: "https://6a9c147de13c44e5b93df78382758dfe.eu-west-1.aws.found.io:9243/logout"  

After saving changes, I got this error:

AWS SSO IDP config:

<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://portal.sso.us-east-1.amazonaws.com/saml/assertion/MjU5ODM4MjAwNjIxX2lucy0xMzRlYzQ5YjUwOWM0Y2Y3">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDAzCCAeugAwIBAgIBATANBgkqhkiG9w0BAQsFADBFMRYwFAYDVQQDDA1hbWF6b25hd3MuY29tMQ0wCwYDVQQLDARJREFTMQ8wDQYDVQQKDAZBbWF6b24xCzAJBgNVBAYTAlVTMB4XDTE5MDMxODA5MzYxNFoXDTI0MDMxODA5MzYxNFowRTEWMBQGA1UEAwwNYW1hem9uYXdzLmNvbTENMAsGA1UECwwESURBUzEPMA0GA1UECgwGQW1hem9uMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMB0eA5w3yrgSJoMOV5VFrBinuSPX8pHFvhWxXTptrMv35clA0E1LXf5I4rxA/6FHhgdH/sX1C8F9gck7ToAjEdSWzir7XlKH3JcuFcID/FLnYkCqX9YY5oANR4qTD9b8fJ9JIDmrtWOeSgHgvu4Z3DVe+fYlsF5JmkWRQvJGriSMYTLkV6YKbm9zyKShDkMGVF1kQQriHwXkhSDcTr0D3m2tTsPpDlZf7Ir1CsmkBMzC0OD6zvoCpC6rMk5q1FzV0ISBY3g6h/lf9mVrIefmHE8PfHJ8/1KxB01HDxAVkZweumxoqVqqdcZy4ZEWM1ByLxM0lJ63d89NSS4lC6kBGcCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAmN1NN/jKoJuTsqrm72pL8mjCuZFZ6vpzg/imUFxtaR+O5UNQuBpxeCitPRBqvZjBKCWaOMb/sfDilk8QsmWmt2wBC0WIxetVPGYetweaA6eVZRoOA8nu9c3hXCOnI399RAyQ6ZvaCb+lyQ8soJx+VOp5XbSoeEfzr7eNKoHTAPYIMEtCrNfhC7QLhouywunqkOTWKI4MqIvq8F4Genw//eypNScATy4eKlTcb5o3A6vp5L5m0ch76d9YM0Py0eoGFdUMf2QK5GtMXWj/NKTutx27q7yV4Z16F0fgYxRHoOTR6/8XPTEyFU3J4zqy4jkNmC8ZoyCFhdCLAIGq/X/bgA==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.sso.us-east-1.amazonaws.com/saml/logout/MjU5ODM4MjAwNjIxX2lucy0xMzRlYzQ5YjUwOWM0Y2Y3"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://portal.sso.us-east-1.amazonaws.com/saml/logout/MjU5ODM4MjAwNjIxX2lucy0xMzRlYzQ5YjUwOWM0Y2Y3"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://portal.sso.us-east-1.amazonaws.com/saml/assertion/MjU5ODM4MjAwNjIxX2lucy0xMzRlYzQ5YjUwOWM0Y2Y3"/>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://portal.sso.us-east-1.amazonaws.com/saml/assertion/MjU5ODM4MjAwNjIxX2lucy0xMzRlYzQ5YjUwOWM0Y2Y3"/>
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

Hi,

Yes, apologies, I should have noted this is Elastic Cloud and as such this is currently not a whitelisted config value. Can you please engage with your support engineer? They will be able to apply this setting for your cluster - feel free to mention this post here, and I will provide them with additional details if needed.

Hi @ikakavas

Yeah, The Kibana SSO login is working after Elastic Cloud help enable the below option on ElasticSearch settings.

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

There has a new issue found after we enabled Kibana SSO.

We can only see an attribute with subject on AWS Application SSO settings, Don't know if it's normal? when I logged on to Kibana with my AD account(robin.guo), It's not the username that what I logged on.

Could you please advise which attributes should we in place between elastic cloud and AWS SSO?

The default mappings between AWS SSO and Microsoft AD as following

User attribute in AWS SSO Maps to this attribute in your Microsoft AD directory
AD_GUID ${dir:guid}
email ${dir:windowsUpn}
familyName ${dir:lastname}
givenName ${dir:firstname}
middleName ${dir:initials}
name ${dir:displayname}
preferredUsername ${dir:displayname}
subject ${dir:windowsUpn}

eg.

Attribute mappings

Kibana Login

You have configured AWS SSO to use the literal string "subject" as the value of the SAML NameID and then you have also configured Elasticsearch to map the value of SAML NameID to the principal user attribute in Elasticsearch. Thus, the principal user attribute in Elasticsearch gets the value "subject". This is all expected behavior based on your configuration.

You should probably want to change the literal sting "subject" in your AWS SSO config to something from the list you have shared above ( like the default value ${dir:windowsUpn} that will get the appropriate value from your AD

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.