I am running ES version v7.1.0 on the cloud . I am not able to enter the SAML settings for OKTA integration in the "User settings overrides" box. It is throwing errors like 'xpack.security.authc.realms.cloud-saml.type': is not allowed
According to this link, settings are limited. Where do I put in the SAML settings ?
As you can see in the screenshot posted earlier, user lands on the kibana login page after logging out . Click on 'login' will take the user back to Kibana. I would like the user to land on the OKTA login screen after logging out of Kibana.
here are the Elasticsearch and Kibana user settings
The behavior you are seeing means that either Okta is not configured to support Single Logout and thus Elasticsearch assumes there is no point to redirect you to the SAML IdP. You can verify that by looking at your Okta configuration or by looking at the metadata in https://xxxxxxx.okta.com/app/exkl4glcoc065460h7/sso/saml/metadata . I'd expect there is no <SingleLogoutService> in there ( this is the URL in Okta where the Elastic Stack would redirect you upon Logout ) .
You could contact Okta support to assist you in enabling Single Logout or look at their documentation.
Keep in mind that according to the SAML specification section 3.7 what usually happens in SAML Single Logout is that the session participant ( That is the Elastic Stack ) should redirect the user to the SAML IdP ( that is Okta ) with a SAML Logout Request and then the SAML IDP will attempt to terminate the session and redirect the user back to the Session Participant with a SAML Logout response. This would mean that you would still end up in Kibana after completing the logout - unless Okta has some setting to keep you to their Dashboard, instead of redirecting you back to Kibana with the SAML Response in the end.
I managed to generate the signing certificates with Openssl instead of elasticsearch-certutil . OKTA has been enabled for SLO. But here is the problem we are seeing now on the browser upon logout from Kibana
Please, please , share more information. This is very little for anyone to try and assist in a meaningful way. 404 is just an HTTP error code, it doesn't mean much on its own. The more time you put in making your questions clear with all the details required, the fewer questions we'd have to ask back, and the more probable it will become that someone will take the time to try and help you resolve the problem.
What happens when you click on the logout, where does your browser get redirected to ? What is the URL that gives you this 404 ? Even better, capture a HAR for your browser when you click on logout and share it with us by uploading it somewhere.
I ran a SAML tracer . noticed two GET and one POST request. My understanding is that the first GET request relates to the 'logout' from Kibana. URL in the Second GET is the 'HTTP REDIRECT'. But i dont understand why i get a POST response for the second 'GET' URL. The POST response is what is throwing the "404" error . let me know if this helps
Thanks Tim. I am working with OKTA support on this one. Will let you know if there is any progress
In some cases we can end up in a logout loop, where immediately after logging out you get sent back to the IdP Login page which *might* automatically log you in again.
what I noticed with the OKTA SSO integration is that the user session is terminated from the browser that initiated the log out . But I will still be able to login without re-authenticating if I have an active browser session on OKTA. Ideally when the user logs out of Kibana, all sessions for that user must end