Enterprise Search SAML login Unauthorized

Elastic Orchestration Elastic Cloud Enterprise (ECE)
#1

I followed the above documentation on configuring the SAML with a Google SAML app. Logging into Kibana with SAML works now, but I'm having issues with the SAML authentication for Enterprise Search. This is the response received when trying to log into Enterprise Search through SAML:

{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}

Upon inspecting the SAML request/response, all of the fields and attributes are the same as the SAML for Kibana. I made sure to specify the settings for the Enterprise search node ("User Setting Override") as noted in the documentation.

elasticsearch.yml User Setting Overrides:

xpack:
  security:
    authc:
      realms:
        saml: 
          google-saml-realm: 
            order: 2 
            attributes.principal: "nameid" 
            attributes.groups: "groups" 
            idp.metadata.path: "[URL TO METADATA]" 
            idp.entity_id: "https://accounts.google.com/o/saml2?idpid=xxxxxxxxx" 
            sp.entity_id: "[KIBANA ENDPOINT]/" 
            sp.acs: "[KIBANA ENDPOINT]/api/security/v1/saml"
            sp.logout: "[KIBANA ENDPOINT]/logout"

enterprise-search.yml user Setting Overrides:

ent_search.auth.google-saml-realm.source: elasticsearch-saml
ent_search.auth.google-saml-realm.order: 1
ent_search.auth.google-saml-realm.description: "Google SAML login"
ent_search.auth.google-saml-realm.icon: [URL TO ICON]
#2

In addition, here are the SAML payloads for each Kibana and Enterprise Search SAML POST request:

Kibana (returns 302):

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<saml2p:Response
    Destination="[KIBANA ENDPOINT]/api/security/v1/saml"
    ID="_8bd30041f4690d3fef8bc1ae2050c268" InResponseTo="_46c3165433157cfec6bf8e1b00344e6b3d8fa9b7"
    IssueInstant="2021-01-29T19:04:20.126Z" Version="2.0"
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=xxxxxxxxx</saml2:Issuer>
    <saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>
    <saml2:Assertion ID="_4ea19a8fb7b1505e3253f30934c982de" IssueInstant="2021-01-29T19:04:20.126Z"
        Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Issuer>https://accounts.google.com/o/saml2?idpid=xxxxxxxxx</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <ds:Reference URI="#_4ea19a8fb7b1505e3253f30934c982de">
                    <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>QTqft4zEOSF6Znaz7+gnpK4DxMi3aNfkRD9bjbP7lsw=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>[SIGNATURE VALUE]</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
                    <ds:X509Certificate>[X509 CERTIFICATE]</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[GOOGLE USER EMAIL]</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="_46c3165433157cfec6bf8e1b00344e6b3d8fa9b7"
                NotOnOrAfter="2021-01-29T19:09:20.126Z"
                Recipient="[KIBANA ENDPOINT]/api/security/v1/saml"/></saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2021-01-29T18:59:20.126Z" NotOnOrAfter="2021-01-29T19:09:20.126Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>[KIBANA ENDPOINT]/</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="email">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">[GOOGLE USER EMAIL]</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="name">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">[GOOGLE USER EMAIL]</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="role">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">superuser</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="username">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">[GOOGLE USER EMAIL]</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="roles">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">superuser</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
        <saml2:AuthnStatement AuthnInstant="2021-01-26T21:28:43.000Z"
            SessionIndex="_4ea19a8fb7b1505e3253f30934c982de">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>

Enterprise Search (returns 401):

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<saml2p:Response
    Destination="[KIBANA ENDPOINT]/api/security/v1/saml"
    ID="_7de92a3ab8c4cd5a392727e9b7fc05f5" InResponseTo="_5662203d080f4c02d0d375d81e1601ce0c600f11"
    IssueInstant="2021-01-29T19:10:07.492Z" Version="2.0"
    xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://accounts.google.com/o/saml2?idpid=xxxxxxxxx</saml2:Issuer>
    <saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status>
    <saml2:Assertion ID="_72fa3be1a8995ee221c4a331452d6ec8" IssueInstant="2021-01-29T19:10:07.492Z"
        Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml2:Issuer>https://accounts.google.com/o/saml2?idpid=xxxxxxxxx</saml2:Issuer>
        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
                <ds:Reference URI="#_72fa3be1a8995ee221c4a331452d6ec8">
                    <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>KfteDn92oY9+xrOH1vJWYZL5umVwfjwD084p51JIgnw=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>[SIGNATURE VALUE]</ds:SignatureValue>
            <ds:KeyInfo>
                <ds:X509Data>
                    <ds:X509SubjectName>ST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
                    <ds:X509Certificate>[X509 CERTIFICATE]</ds:X509Certificate>
                </ds:X509Data>
            </ds:KeyInfo>
        </ds:Signature>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">[GOOGLE USER EMAIL]</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="_5662203d080f4c02d0d375d81e1601ce0c600f11"
                NotOnOrAfter="2021-01-29T19:15:07.492Z"
                Recipient="[KIBANA ENDPOINT]/api/security/v1/saml"/></saml2:SubjectConfirmation>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2021-01-29T19:05:07.492Z" NotOnOrAfter="2021-01-29T19:15:07.492Z">
            <saml2:AudienceRestriction>
                <saml2:Audience>[KIBANA ENDPOINT]/</saml2:Audience>
            </saml2:AudienceRestriction>
        </saml2:Conditions>
        <saml2:AttributeStatement>
            <saml2:Attribute Name="email">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">[GOOGLE USER EMAIL]</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="name">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">[GOOGLE USER EMAIL]</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="role">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">superuser</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="username">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">[GOOGLE USER EMAIL]</saml2:AttributeValue>
            </saml2:Attribute>
            <saml2:Attribute Name="roles">
                <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">superuser</saml2:AttributeValue>
            </saml2:Attribute>
        </saml2:AttributeStatement>
        <saml2:AuthnStatement AuthnInstant="2021-01-26T21:28:43.000Z"
            SessionIndex="_72fa3be1a8995ee221c4a331452d6ec8">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</saml2p:Response>
#3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.