Elasticsearch, SAML configuration, help required

Elasticsearch Version: 7.5.2
Kibana Version: 7.5.2
Deployment: Elastic.co Cloud Managed

Hello, we are seeing strange issues when using saml on our production deployment, it all worked fine during our trial which is strange.

So if I go to log in via

https://x.eu-west-1.aws.found.io:9243, I see the following:

{"statusCode":403,"error":"Forbidden","message":"Forbidden"}

If I go to this url

https://x..eu-west-1.aws.found.io:9243/app/kibana, I see the following:

If I go to this url

https://x.eu-west-1.aws.found.io:9243/api/security/v1/me, I see the following:

{"username":"anthony.cleaves@x.com","roles":[],"full_name":null,"email":null,"metadata":{"saml(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname)":["Anthony"],"saml(http://schemas.microsoft.com/identity/claims/objectidentifier)":["{{REMOVED}}"],"saml_nameid_format":"urn:oasis:names:tc:SAML:2.0:nameid-format:transient","saml(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname)":["Cleaves"],"saml(http://schemas.microsoft.com/claims/authnmethodsreferences)":["http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password"],"saml(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)":["anthony.cleaves@x.com"],"saml(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name)":["anthony.cleaves@x.com"],"saml_nameid":"+MyMjID64szKm4YllGRf1ScSW/3GBxetUKW4OvMYpeI=","saml(http://schemas.microsoft.com/identity/claims/identityprovider)":["https://sts.windows.net/{{REMOVED}}/"],"saml(http://schemas.microsoft.com/identity/claims/tenantid)":["{{REMOVED}}"],"saml(http://schemas.microsoft.com/identity/claims/displayname)":["Anthony Cleaves"]},"enabled":true,"authentication_realm":{"name":"saml-to-azure","type":"saml"},"lookup_realm":{"name":"saml-to-azure","type":"saml"}}

I have no roles set, so we map "Kibana_Administrators" to superusers and kibana_users, via the following:

_security/role_mapping/CLOUD_SAML_ADADMIN_TO_SUPERUSER

{
  "CLOUD_SAML_ADADMIN_TO_SUPERUSER": {
    "rules": {
      "all": [
        {
          "field": {
            "realm.name": "saml-to-azure"
          }
        },
        {
          "field": {
            "groups": "Kibana_Administrators"
          }
        }
      ]
    },
    "enabled": true,
    "roles": [
      "superuser",
      "kibana_user"
    ],
    "metadata": {
      "version": 2
    }
  }
}

For completion here is my Elaticsearch config:

xpack:
  security:
    authc:
      realms:
        saml:
          saml-to-azure:
            order: 2
            attributes.principal: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
            attributes.groups: 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups'
            idp.metadata.path: 'https://login.microsoftonline.com/{{REMOVED}}/federationmetadata/2007-06/federationmetadata.xml?appid={{REMOVED}}'
            idp.entity_id: 'https://sts.windows.net/{{REMOVED}}/'
            sp.entity_id: 'https://x.eu-west-1.aws.found.io:9243'
            sp.acs: 'https://x.eu-west-1.aws.found.io:9243/api/security/v1/saml'
            sp.logout: 'https://x.eu-west-1.aws.found.io:9243/logout'

And here is my kibana config:

xpack.security.authc.providers: ['saml','basic']
server.xsrf.whitelist: ['/api/security/v1/saml']
xpack.security.authc.saml.realm: 'saml-to-azure'

The strange thing is, last night it appeared to work for me fine, then I changed our realm name from the one in the example to saml-to-azure and I now see this issue. My gut feeling is that it's not finding the correct group when talking to saml but I have no idea how I can debug it to view anything like that.

Any help would be appreciated.

I enabled debug on ES and I got this when signing in:

[instance-0000000007] Parsed token [SamlToken{3c73616d6c703a526573706f6e73652049443d225f61326434343036322d653239352d343664352d393738342d62636537613931343131633422205665727369...}] to attributes [SamlAttributes(NameId(urn:oasis:names:tc:SAML:2.0:nameid-format:transient)=NsG1wqEPhrrDucBy0F1iq8OPkBzcCzqAjvZ71POsfCs=)[_{{REMOVED}}]{[http://schemas.microsoft.com/identity/claims/tenantid=[{{REMOVED}}], http://schemas.microsoft.com/identity/claims/objectidentifier=[{{REMOVED}}], http://schemas.microsoft.com/identity/claims/displayname=[Anthony Cleaves], http://schemas.microsoft.com/identity/claims/identityprovider=[https://sts.windows.net/{{REMOVED}}/], http://schemas.microsoft.com/claims/authnmethodsreferences=[http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname=[Anthony], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname=[Cleaves], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=[anthony.cleaves@x.com], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=[anthony.cleaves@x.com]]}]

There is no mention of group, is this expected?

This has to do only with your IDP ( Azure AD ) configuration. As you can see ( both in the ES logs and in the response of the api/security/v1/me - as we add all SAML Attributes as user metadata :wink: ) your IDP is not sending the SAML Attribute http://schemas.microsoft.com/ws/2008/06/identity/claims/groups in the SAML response and your user doesn't get any groups, and thus no roles , as no role mapping rule matches them.

I don't doubt it's the azure side, I think we are making progress

{"username":"anthony.cleaves@x.com","roles":[],"full_name":null,"email":null,"metadata":{"saml(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname)":["Anthony"],"saml(http://schemas.microsoft.com/identity/claims/objectidentifier)":["{{REMOVED}}"],"saml_nameid_format":"urn:oasis:names:tc:SAML:2.0:nameid-format:transient","saml(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname)":["Cleaves"],"saml(http://schemas.microsoft.com/ws/2008/06/identity/claims/groups)":["3aec251d-b8ab-406f-90c2-c7606942952f","d65416d5-db63-41dd-b14b-1e4351d58f26","a724ac8e-69e3-499c-b317-b81f95f1db80","30d135f6-de26-4b38-a7b3-d606d2596dba","d23992d6-f99a-40a4-8fc6-5ec90a8263ea","b21075f3-c48a-4d04-b315-eac6a9bf6463","e5f183fc-f679-4533-9a3b-4d5abfd609ec","d7ac88fa-e1de-484b-ac21-afe789b1b619","6c12265c-f835-47da-b2f4-52909b96f0d9","422e2c0e-b317-4f59-9618-fbb227a88020","5d10f45f-139a-44f6-b85a-dff137d75f18","cfec5aba-2719-450c-8b07-6c686d89d013","35b6a7d1-47f0-495c-89d7-0519714dec59","678f3eed-4040-45b3-b9ae-63c4c9ba4ac2","fd78effa-3ff9-40c5-b99c-2ad88ce05557","ef46bd3c-a271-42e5-a90e-ccfad709d068","2705ebd6-db57-47be-a911-357bfb29ddd0","e212e336-41f5-467e-b60c-dd00724440f0","fcc39033-6fe3-4d5f-8d6d-394124d6c20c","9164aea0-5d82-40fd-8715-d92c18ee21fb","5f59dd64-859b-4198-bdd5-c02e3c6a4496"],"saml(http://schemas.microsoft.com/claims/authnmethodsreferences)":["http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password"],"saml(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)":["anthony.cleaves@x.com"],"saml(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name)":["anthony.cleaves@x.com"],"saml_nameid":"RIaMXTh/2BT2+CfWBjioEmtaHN++Ga7VMi84wG6MHo8=","saml(http://schemas.microsoft.com/identity/claims/identityprovider)":["https://sts.windows.net/{REMOVED}}/"],"saml(http://schemas.microsoft.com/identity/claims/tenantid)":["{REMOVED}}"],"saml(http://schemas.microsoft.com/identity/claims/displayname)":["Anthony Cleaves"]},"enabled":true,"authentication_realm":{"name":"saml-to-azure","type":"saml"},"lookup_realm":{"name":"saml-to-azure","type":"saml"}}

It seems to list some groups now, is it possible via elasticsearch api to see what they are? Sorry for my ignorance with Azure AD, that component is managed by an IT team.

No, because these are not related to Elasticsearch. These are the GUIDs of your AD Groups . You can either

  1. ask your IT team to change configuration on Azure's side so that this claim contains group names instead. See https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-group-claims on how to do this.
  2. or ask your IT Team to give you a mapping of GUIDs to group names if this doesn't change often, and you adjust your role mappings to match these values instead

That sounds useful, thanks sir!

Thank you for your paitence and percise information, as soon as you mentioned the GUID it all made sense immediately, I feel silly for missing that.

Hello,
I did not understand the solution. Can you please elaborate what exact steps you took? We are not able to understand what roles/groups need to be configured on SAML side. Do we need to configure kibana roles on SAML end or Do we need to configure tenant url of kibana. If so from where do we get the tenant url?
Could you please help us with what are the exact settings?

Hello @dbElastic

Your question seems unrelated to the topic here so I would kindly suggest that you open your own topic, explain what you are trying to do and what exactly your issue is and we will do our best to assist you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.