Having issues getting Google SAML SSO to work withe Elastic Cloud. I'm getting a 401 after I choose my Google identity.
elasticsearch.yaml:
xpack:
security:
authc:
realms:
saml:
cloud-saml:
order: 2
attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
attribute_patterns.principal: "^([^@]+)@example\.com$"
attributes.groups: "groups"
idp.metadata.path: /app/config/saml/metadata.xml
idp.entity_id: "https://accounts.google.com/o/saml2?idpid=xxxxxxx"
sp.entity_id: "https://<MY_KIBANA_URL>:9243/"
sp.acs: "https://<MY_KIBANA_URL>:9243/api/security/v1/saml"
sp.logout: "https://<MY_KIBANA_URL>:9243/logout"
kibana.yaml
xpack.security.authc.providers: [saml,basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.authc.saml.realm: cloud-saml
Response from browser:
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}
SAML Response:
</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">myusername@example.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="responseID" NotOnOrAfter="2019-10-09T18:18:25.399Z" Recipient="https://<MY_KIBANA_URL>:9243/api/security/v1/saml"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2019-10-09T18:08:25.399Z" NotOnOrAfter="2019-10-09T18:18:25.399Z"><saml2:AudienceRestriction><saml2:Audience>https://<MY_KIBANA_URL>:9243/</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2019-10-07T14:31:18.000Z" SessionIndex="sessionID"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>
Any ideas on what the issue could be?