Hi all,
I am trying to setup SAML via Azure Active Directory on an Elastic Cloud cluster.
Before I go into the details about the error, I just wanted to say that I ve read pretty much anything I could find on the internet about SAML and Elasticsearch (like the Okta guide on Medium) as well as the Azure AD specific guide on elasticsearch website.
I m getting the following error after I authenticate on Azure
{"statusCode":403,"error":"Forbidden","message":"Forbidden"}
Here is my elasticsearch.yml config
xpack:
security:
authc:
realms:
saml:
cloud-saml:
order: 2
attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
idp.metadata.path: "https://login.microsoftonline.com/something/federationmetadata/2007-06/federationmetadata.xml?appid=something"
idp.entity_id: "https://sts.windows.net/something/"
sp.entity_id: "https://something.eu-central-1.aws.cloud.es.io:9243/"
sp.acs: "https://something.eu-central-1.aws.cloud.es.io:9243/api/security/v1/saml"
sp.logout: "https://something.eu-central-1.aws.cloud.es.io:9243/logout"
I enabled saml traces to get more info. Here is what I get in a gist:
- Constructed SAML Authentication Request
- Received SAML Message: ...
- SAML Response: ... Number of unencrypted Assertions: 1 Number of encrypted Assertions: 0 ]
- SAML Assertion: [ Response ID: ... Response issued at: 2020-05-25T11:10:59.087Z Issuer: ... Number of attribute statements: 1 Number of authentication statements: 1 ]
- (Possibly decrypted) Assertion: ...
- SAML Assertion Subject Confirmation is in response to: ...
- SAML Assertion is only valid between: 2020-05-25T11:05:58.916Z and 2020-05-25T12:10:58.916Z
- SAML Assertion Subject Confirmation is only valid before: 2020-05-25T12:10:58.916Z
- SAML Assertion Subject Confirmation intended recipient is: ...
- [instance-0000000006] SAML Signature [......] matches credentials ...
- SAML AttributeStatement has [9] attributes and [0] encrypted attributes
- SAML Assertion was intended for the following Service providers: ...
- Parsed token...
- The SAML Assertion contained the following attributes... (the data coming into these attributes is correct).
Initially I thought the problem was with the signing / encrypting of messages but that can't be it as we are well past that point in the logs as shown above. I dont see any actual error message (all of the above are DEBUGs and INFOs). So I think that maybe where I m wrong is the setup of attributes as part of the Azure AD application?
Any help to debug this further would be highly appreciated.
Thanks