Elastic - SAML (Azure) integration issue

Hi All,
Below are my SAML configuration for Elasticsearch and Kibana, but getting Warning as

[WARN ][o.e.x.s.a.AuthenticationService] [SA145] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[SAML content is in-response-to _8ca119eb20c3a44e54c0edba4538500bf62b3879 but expected one of [] ])

On Debugging in IE gets below error in Response Body,
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}

Need help to identify actually where issue lie, in ELK configuration or in Azure configuration.

Below is my complete configuration

**1. Node A - Elasticsearch Config**
    cluster.name: sap
    node.name: SAP145
    node.master: true
    node.data: true
    network.host: 10.11.12.145
    http.port: 5081
    discovery.seed_hosts: ["10.11.12.145"]
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12 
    xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
    xpack.security.authc.accept_default_password: false
    xpack.security.authc.token.enabled: true
    xpack.security.authc.realms.saml.saml1:
      order: 0
      idp.metadata.path: saml/idp-metadata.xml
      idp.entity_id: "https://sts.windows.net/40d9d3d6-53ad-415c-aee8-72de90a76ab0/"
      sp.entity_id:  "https://10.12.12.111:5080/"
      sp.acs: "https://10.12.12.111:5080/api/security/v1/saml"
      attributes.principal: "http://schemas.microsoft.com/identity/claims/emailaddress"

2. Node B Elasticsearch Config
cluster.name: sap
node.name: SA146
node.master: true
node.data: true

network.host: 10.11.12.146
http.port: 5081
discovery.seed_hosts: ["10.11.12.145","10.11.12.146"]
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12

xpack.security.authc.accept_default_password: false
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.saml.saml1:
  order: 2
  idp.metadata.path: saml/idp-metadata.xml  
  idp.entity_id: "https://sts.windows.net/40d9d3d6-53ad-415c-aee8-72de90a76ab0/"
  sp.entity_id:  "https://10.12.12.111:5080/"
  sp.acs: "https://10.12.12.111:5080/api/security/v1/saml"
  attributes.principal: "http://schemas.microsoft.com/identity/claims/emailaddress"

Kibana Config
server.port: 5080
server.host: "10.12.12.111"
elasticsearch.hosts: ["https://10.11.12.145:5081"]

server.ssl.enabled: true
server.ssl.certificate: /elk_7.4.1/kibana-7.4.0-linux-x86_64/config/certs/kibana-server.crt
server.ssl.key: /elk_7.4.1/kibana-7.4.0-linux-x86_64/config/certs/kibana-server.key


elasticsearch.ssl.certificateAuthorities: "/elk_7.4.1/kibana-7.4.0-linux-x86_64/config/certs/elasticsearch-ca.pem"
elasticsearch.ssl.verificationMode: full
elasticsearch.username: "elastic"
elasticsearch.password: "elastic"
xpack.reporting.capture.browser.chromium.disableSandbox: true
csp.warnLegacyBrowsers: false

xpack.security.authc.providers: [saml,basic] 
xpack.security.authc.saml.realm: saml1 
xpack.security.sessionTimeout: 10000
server.xsrf.whitelist: [/api/security/v1/saml]

Why not continue in SAML configuration with NameID as unspecified - #3 by AjitR ?

Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[SAML content is in-response-to _8ca119eb20c3a44e54c0edba4538500bf62b3879 but expected one of [] ]

This should only be a transient error. Is it reproducible on your side in a new incognito browser window ?

  1. Please enable trace logging as described in Common SAML issues | Elasticsearch Guide [8.11] | Elastic
  2. Describe to us what you are doing in the browser ( which URL do you navigate to , what happens next etc. ) to get this error, or even better capture a HAR from your browser.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.