Elastic Cloud Kibana SAML Okta not working with groups

Gavin_Hardy · August 2, 2019, 2:55pm

Hello,

I have setup ES and Kibana to use xpack, and have got it all working. When I create the kibana users like so

{
   "enabled": true,
    "roles": [ "kibana_user" ], 
    "rules": { 
        "field": { "realm.name": "cloud-saml" } 
    },
    "metadata": { "version": 1 }
}

I can login via Okta with my user ghardy and I have read access.

However, when I create the superuser based on groups using the following

{
   "enabled": true,
    "roles": [ "superuser" ], 
    "rules": { "all" : [ 
        { "field": { "realm.name": "cloud-saml" } }, 
        { "field": { "groups": "elasticadmins" } }
    ]},
    "metadata": { "version": 1 }
}

I keep getting user ghardy is unauthorised. In my Okta I have create the elasticadmins group, and assigned my user to that group. I am just lost to why it doesn't seem to be putting my user as a superuser.

kibana.xml

xpack.security.authProviders: [saml, basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.public:
  protocol: https
  hostname: <url>.eu-west-1.aws.found.io
  port: 9243

elasticsearch.yml

  security:
    authc:
      realms:
        cloud-saml: 
          type: saml
          order: 2
          attributes.principal: "nameid:persistent" 
          attributes.groups: "groups" 
          idp.metadata.path: "https://<url>.okta.com/app/<id>/sso/saml/metadata" 
          idp.entity_id: "http://www.okta.com/<id>" 
          sp.entity_id: "https://<url>.eu-west-1.aws.found.io:9243/" 
          sp.acs: "https://<url>.eu-west-1.aws.found.io:9243/api/security/v1/saml"
          sp.logout: "https://<url>.eu-west-1.aws.found.io:9243/logout"

Let me know if I am missing anything that you need
Any help will be great, Thank you!

ikakavas · August 5, 2019, 8:45am

Hi Gavin,

Nit picking here but so that we're on the same page: This is a role mapping rule and what it does is that it assigns roles ( kibana_user ) in this case, to users that have authenticated via the SAML realm with name cloud-saml . You are not sharing how you are creating those, but keep in mind that different role mappings need to have different names ( part of the URI when you send the request to Elasticsearch ) , otherwise you are overwriting the existing ones with the new ones.

Your configuration looks good to me and matches what I've seen being required integrating with Okta. My guess is that either:

Okta is not configured to send the group membership attribute
Okta is configured to send the group membership attribute but the attribute name is not groups (as your configuration implies)
Okta is configured to send the group membership attribute, and its name is groups, but your user ( ghardy) is not member of that group.

I would suggest that you

Check your Okta configuration to verify that the group membership attribute is named group and is also sent in the SAML Responses ( IIRC the section in Okta is named "Group Attribute Statements" )
When the first role mapping is assigned, and you can login to Kibana, go to the Dev Tools section and execute the following query:
```
GET /_security/_authenticate
```
This would show you roles that your user is currently assigned, but also all the SAML attributes that were sent from Okta for your user, under the "metadata" section of the response. This will show you if the group membership is sent from Okta, under which attribute name and with which value.

Gavin_Hardy · August 5, 2019, 10:30am

Hi Ioannis, thank you for your reply.

Are you saying that attributes.groups: "groups" in my elasticsearch.yml tat "groups" should match a group in my Okta, so if I have a Devops group, this should be "Devops"?

Gavin_Hardy · August 5, 2019, 10:31am

When I run GET /_security/_authenticate my user only has the kibana_user role, it has not been given the superuser role.

Gavin_Hardy · August 5, 2019, 10:39am

This is what authenticate brings back when I log in to kibana with my user ghardy

  "username" : "ghardy",
  "roles" : [
    "kibana_user"
  ],
  "full_name" : null,
  "email" : null,
  "metadata" : {
    "saml_nameid" : "ghardy",
    "saml_nameid_format" : "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
  },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "cloud-saml",
    "type" : "saml"
  },
  "lookup_realm" : {
    "name" : "cloud-saml",
    "type" : "saml"
  }
}

Gavin_Hardy · August 5, 2019, 11:19am

Hey, I got it working thanks, turns out it was Okta side!. Thank you again for your help!

ikakavas · August 5, 2019, 12:21pm

Are you saying that attributes.groups: "groups" in my elasticsearch.yml tat "groups" should match a group in my Okta, so if I have a Devops group, this should be "Devops" ?

No, not exactly. In attributes.groups: "groups" in your elasticsearch.yml, "groups" should match the name of the attribute in Okta, not its value. That was correctly configured from the start.

That part in the response shows that okta was not sending any group information to elasticsearch ( otherwise you would see it here along with the nameid in the metadata ) and this is why your role mapping was not working.

Glad you figured it out!

system · September 2, 2019, 12:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.