Elasticsearch, SAML configuration, help required

runtman · February 12, 2020, 9:45am

Elasticsearch Version: 7.5.2
Kibana Version: 7.5.2
Deployment: Elastic.co Cloud Managed

Hello, we are seeing strange issues when using saml on our production deployment, it all worked fine during our trial which is strange.

So if I go to log in via

https://x.eu-west-1.aws.found.io:9243, I see the following:

{"statusCode":403,"error":"Forbidden","message":"Forbidden"}

If I go to this url

https://x..eu-west-1.aws.found.io:9243/app/kibana, I see the following:

If I go to this url

https://x.eu-west-1.aws.found.io:9243/api/security/v1/me, I see the following:

{"username":"anthony.cleaves@x.com","roles":[],"full_name":null,"email":null,"metadata":{"saml(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname)":["Anthony"],"saml(http://schemas.microsoft.com/identity/claims/objectidentifier)":["{{REMOVED}}"],"saml_nameid_format":"urn:oasis:names:tc:SAML:2.0:nameid-format:transient","saml(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname)":["Cleaves"],"saml(http://schemas.microsoft.com/claims/authnmethodsreferences)":["http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password"],"saml(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)":["anthony.cleaves@x.com"],"saml(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name)":["anthony.cleaves@x.com"],"saml_nameid":"+MyMjID64szKm4YllGRf1ScSW/3GBxetUKW4OvMYpeI=","saml(http://schemas.microsoft.com/identity/claims/identityprovider)":["https://sts.windows.net/{{REMOVED}}/"],"saml(http://schemas.microsoft.com/identity/claims/tenantid)":["{{REMOVED}}"],"saml(http://schemas.microsoft.com/identity/claims/displayname)":["Anthony Cleaves"]},"enabled":true,"authentication_realm":{"name":"saml-to-azure","type":"saml"},"lookup_realm":{"name":"saml-to-azure","type":"saml"}}

I have no roles set, so we map "Kibana_Administrators" to superusers and kibana_users, via the following:

_security/role_mapping/CLOUD_SAML_ADADMIN_TO_SUPERUSER

{
  "CLOUD_SAML_ADADMIN_TO_SUPERUSER": {
    "rules": {
      "all": [
        {
          "field": {
            "realm.name": "saml-to-azure"
          }
        },
        {
          "field": {
            "groups": "Kibana_Administrators"
          }
        }
      ]
    },
    "enabled": true,
    "roles": [
      "superuser",
      "kibana_user"
    ],
    "metadata": {
      "version": 2
    }
  }
}

For completion here is my Elaticsearch config:

xpack:
  security:
    authc:
      realms:
        saml:
          saml-to-azure:
            order: 2
            attributes.principal: 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress'
            attributes.groups: 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups'
            idp.metadata.path: 'https://login.microsoftonline.com/{{REMOVED}}/federationmetadata/2007-06/federationmetadata.xml?appid={{REMOVED}}'
            idp.entity_id: 'https://sts.windows.net/{{REMOVED}}/'
            sp.entity_id: 'https://x.eu-west-1.aws.found.io:9243'
            sp.acs: 'https://x.eu-west-1.aws.found.io:9243/api/security/v1/saml'
            sp.logout: 'https://x.eu-west-1.aws.found.io:9243/logout'

And here is my kibana config:

xpack.security.authc.providers: ['saml','basic']
server.xsrf.whitelist: ['/api/security/v1/saml']
xpack.security.authc.saml.realm: 'saml-to-azure'

The strange thing is, last night it appeared to work for me fine, then I changed our realm name from the one in the example to saml-to-azure and I now see this issue. My gut feeling is that it's not finding the correct group when talking to saml but I have no idea how I can debug it to view anything like that.

Any help would be appreciated.

runtman · February 12, 2020, 10:40am

I enabled debug on ES and I got this when signing in:

[instance-0000000007] Parsed token [SamlToken{3c73616d6c703a526573706f6e73652049443d225f61326434343036322d653239352d343664352d393738342d62636537613931343131633422205665727369...}] to attributes [SamlAttributes(NameId(urn:oasis:names:tc:SAML:2.0:nameid-format:transient)=NsG1wqEPhrrDucBy0F1iq8OPkBzcCzqAjvZ71POsfCs=)[_{{REMOVED}}]{[http://schemas.microsoft.com/identity/claims/tenantid=[{{REMOVED}}], http://schemas.microsoft.com/identity/claims/objectidentifier=[{{REMOVED}}], http://schemas.microsoft.com/identity/claims/displayname=[Anthony Cleaves], http://schemas.microsoft.com/identity/claims/identityprovider=[https://sts.windows.net/{{REMOVED}}/], http://schemas.microsoft.com/claims/authnmethodsreferences=[http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname=[Anthony], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname=[Cleaves], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress=[anthony.cleaves@x.com], http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name=[anthony.cleaves@x.com]]}]

There is no mention of group, is this expected?

ikakavas · February 12, 2020, 11:22am

This has to do only with your IDP ( Azure AD ) configuration. As you can see ( both in the ES logs and in the response of the api/security/v1/me - as we add all SAML Attributes as user metadata ) your IDP is not sending the SAML Attribute http://schemas.microsoft.com/ws/2008/06/identity/claims/groups in the SAML response and your user doesn't get any groups, and thus no roles , as no role mapping rule matches them.

runtman · February 12, 2020, 1:41pm

I don't doubt it's the azure side, I think we are making progress

{"username":"anthony.cleaves@x.com","roles":[],"full_name":null,"email":null,"metadata":{"saml(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname)":["Anthony"],"saml(http://schemas.microsoft.com/identity/claims/objectidentifier)":["{{REMOVED}}"],"saml_nameid_format":"urn:oasis:names:tc:SAML:2.0:nameid-format:transient","saml(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname)":["Cleaves"],"saml(http://schemas.microsoft.com/ws/2008/06/identity/claims/groups)":["3aec251d-b8ab-406f-90c2-c7606942952f","d65416d5-db63-41dd-b14b-1e4351d58f26","a724ac8e-69e3-499c-b317-b81f95f1db80","30d135f6-de26-4b38-a7b3-d606d2596dba","d23992d6-f99a-40a4-8fc6-5ec90a8263ea","b21075f3-c48a-4d04-b315-eac6a9bf6463","e5f183fc-f679-4533-9a3b-4d5abfd609ec","d7ac88fa-e1de-484b-ac21-afe789b1b619","6c12265c-f835-47da-b2f4-52909b96f0d9","422e2c0e-b317-4f59-9618-fbb227a88020","5d10f45f-139a-44f6-b85a-dff137d75f18","cfec5aba-2719-450c-8b07-6c686d89d013","35b6a7d1-47f0-495c-89d7-0519714dec59","678f3eed-4040-45b3-b9ae-63c4c9ba4ac2","fd78effa-3ff9-40c5-b99c-2ad88ce05557","ef46bd3c-a271-42e5-a90e-ccfad709d068","2705ebd6-db57-47be-a911-357bfb29ddd0","e212e336-41f5-467e-b60c-dd00724440f0","fcc39033-6fe3-4d5f-8d6d-394124d6c20c","9164aea0-5d82-40fd-8715-d92c18ee21fb","5f59dd64-859b-4198-bdd5-c02e3c6a4496"],"saml(http://schemas.microsoft.com/claims/authnmethodsreferences)":["http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password"],"saml(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)":["anthony.cleaves@x.com"],"saml(http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name)":["anthony.cleaves@x.com"],"saml_nameid":"RIaMXTh/2BT2+CfWBjioEmtaHN++Ga7VMi84wG6MHo8=","saml(http://schemas.microsoft.com/identity/claims/identityprovider)":["https://sts.windows.net/{REMOVED}}/"],"saml(http://schemas.microsoft.com/identity/claims/tenantid)":["{REMOVED}}"],"saml(http://schemas.microsoft.com/identity/claims/displayname)":["Anthony Cleaves"]},"enabled":true,"authentication_realm":{"name":"saml-to-azure","type":"saml"},"lookup_realm":{"name":"saml-to-azure","type":"saml"}}

It seems to list some groups now, is it possible via elasticsearch api to see what they are? Sorry for my ignorance with Azure AD, that component is managed by an IT team.

ikakavas · February 12, 2020, 1:49pm

No, because these are not related to Elasticsearch. These are the GUIDs of your AD Groups . You can either

ask your IT team to change configuration on Azure's side so that this claim contains group names instead. See Configure group claims for applications by using Microsoft Entra ID | Microsoft Learn on how to do this.
or ask your IT Team to give you a mapping of GUIDs to group names if this doesn't change often, and you adjust your role mappings to match these values instead

runtman · February 12, 2020, 2:31pm

That sounds useful, thanks sir!

Thank you for your paitence and percise information, as soon as you mentioned the GUID it all made sense immediately, I feel silly for missing that.

dbElastic · February 18, 2020, 4:27pm

Hello,
I did not understand the solution. Can you please elaborate what exact steps you took? We are not able to understand what roles/groups need to be configured on SAML side. Do we need to configure kibana roles on SAML end or Do we need to configure tenant url of kibana. If so from where do we get the tenant url?
Could you please help us with what are the exact settings?

ikakavas · February 18, 2020, 5:22pm

Hello @dbElastic

Your question seems unrelated to the topic here so I would kindly suggest that you open your own topic, explain what you are trying to do and what exactly your issue is and we will do our best to assist you.

system · March 17, 2020, 5:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.