Elasticsearch SAML integration while using HTTP-Redirect

ok i understand
so the only explanation is the response from idp is unsigned,
but the idp team tell me it's signed.
can you tell me how to confirm whether a response is signed or not?

I never said that. The only explanation for what ?

Are you certain they have configured the idp to sign the SAML Response? Because from the screenshot you have attached here, it looks like the SAML Assertion is signed. This is a different thing .

You would be able to see a <ds:Signature> element that has a <ds:Reference> child element that points to the ID of the <samlp:Response> element i.e.

<samlp:Response ID=xxxxxxxxxxx ........ >
        <ds:Reference URI="#xxxxxxxxxxx">

See also here for examples of SAML messages with combination of signed Responses and Assertions to get an idea.

I would focus on getting the idp team to understand that you want your IDP to sign SAML Responses ( not just the SAML Assertions )

1 Like

thank you very much

HI ikakavas
i have some question about role mapping.

  1. As our idp team do not supply the user's group message in the SAML attributes, can i create group in ELK? and how to ?

  2. The SAML attributes only have Email First Name and Last Name,
    AS i don't know the username, can i use Email name as the field?
    i have tried
    curl -X POST "https://XXXXXX:9200/_xpack/security/role_mapping/mapping" -H 'Content-Type: application/json' -d'
    "roles": [ "user", "superuser" ],
    "enabled": true,
    "rules": {
    "field" : { "Email" : [ "XXXX@XXXX.com" ] }

No. There is no notion of a shadow user in Elasticsearch. That is there will not be a persistent user entry in Elasticsearch for the users that authenticate via the SAML realm, so you cannot assign them groups in Elasticsearch.

Reagrding 2. The answer lies - again - in the guide

Not directly - see below

It's always helpful to tell us what happened after you tried. If it didn't work, how did it fail ?

You have two options to use Email for role mapping

  1. User metadata. Email can then be used as saml(Email) in role mappings
  2. Extracting username from email - our guide has this exact example - and using this in the role mappings.

Once again, please do read through our guide, it will be greatly beneficial for your understanding and will make realm configuration much easier for you.

HI ikakavas
i tried "Email can then be used as saml(Email) in role mappings"
curl -X PUT "https://X.X.X.X:9200/_xpack/security/role_mapping/mapping" -H 'Content-Type: application/json' -d'
"roles": [ "superuser" ],
"enabled": true,
"rules": { "all": [
{ "field": { "realm.name": "saml3" } },
{ "field": { "saml(Email)": "Dengfeng.Nguyen@Honeywell.com" } }
] }

but when i login ,i don't have access to perform any actions or access any data.

the configuration in Elasticsearch.yml is
attributes.principal: "Email"
attribute_patterns.principal: "^([^@]+)@Honeywell.com$"

That field should be "metadata.saml(Email)"

I can access after i change the field from saml(Email) to metadata.saml(Email).
and if i want to use mapping files what it should be ?
- "metadata.saml(Email)=Dengfeng.Nguyen@Honeywell.com"
- "metadata.saml(Email)=Dengfeng.Nguyen@Honeywell.com"

SAML does not support mapping files.
Which part of the docs lead you to believe it did?

in this role mapping file
it shows how to uses the file-based method to map group to role, the user can be from Active Directory , so i think maybe the users who authenticate via SAML can also use it.

I have a question when i use role mapping API
if i have created a mapping role ,
curl -X PUT "https://X.X.X.X:9200/_xpack/security/role_mapping/" -H 'Content-Type: application/json' -d'
"roles": [ "superuser" ],
"enabled": true,
"rules": { "all": [
{ "field": { "realm.name": "saml3" } },
{ "field": { "metadate.saml(Email)": "Dengfeng.Nguyen@Honeywell.com" } }
] }
i want to add user to this mapping, or i want to remove user in this mapping, do you have related API?

HI Ikakavas
my configuration
attributes.principal: "Email"
attribute_patterns.principal: "^([^@]+)@Honeywell.com$"

in my understanding i can extract username from email . if my email name is Dengfeng,Nguyen@Honeywell.com, so my username will be Dengfeng,Nguyen.

But when i try to get the user's information
curl -X GET "https://x.x.x.x:9200/_xpack/security/user/Dengfeng.Nguyen"
it just return {}
can you tell me how to get the user's information who authenticate via SAML

The Users API returns information about users in the Native realm. It will not show SAML users.

If you want to know which users are authenticating via SAML, then you need to use the audit log.

In addition to what Tim has mentioned, if you are authenticated yourself as the user of which you want to get the information, you can use the _authenticate API to get it.

HI ikakavas
I have some questions about group mapping.
from this role mapping we can mapping group to different role . i think if the SAML session contain one group message it will work very well.
1 Can you tell me the situation that SAML session contain multi-groups, does the ELK can parse the group info?
2 if the answer is yes, does the ELK just pick the group configured in role_mapping, and ignore others group message?
3 if one user both in group "user" and group “developer”, will he have the full permission of the both groups or just have one of groups' permission.

I believe the Role Mapping API docs cover everything you are asking:

Got it ,thank you

I have a problem when i logout the kibana, when i click the Logout, the kibana will reload, and than login the kibana again. that's mean i can not logout.
my configuration in elastic is
sp.acs: "https://sent2-kibana-dev.dsentience.net:443/api/security/v1/saml"
sp.logout: "https://sent2-kibana-dev.dsentience.net:443/logout"

Can you tell the situation that SAML session contain two groups
one is top grpup "cn=elastic_user,ou=internal,o=Honeywell"
another is subgroup "cn=GroupAdministrator,cn=elastic_user,ou=internal,o=Honeywell"

if i only map subgroup to a role, the user in the subgroup have no permission related to the role.

Multiple groups should work fine.
You'll need to look at the logs and try and see what's going wrong for you.

Is there sub group concept in ELK?
if we need map one group to one role. we just need call the api below no matter the group is top group or sub group.
curl -X PUT "https://x.x.x.x:9200/_xpack/security/role_mapping/mapping" -H 'Content-Type: application/json' -d'
"roles": [ "kibana_user", "machine_learning_user" ],
"enabled": true,
"rules": { "all": [
{ "field": { "realm.name": "saml3" } },
{ "field": { "metadata.saml(Group)": "cn=elastic_user,ou=internal,o=honeywell" } }
] }