Google SAML 401

Having issues getting Google SAML SSO to work withe Elastic Cloud. I'm getting a 401 after I choose my Google identity.

elasticsearch.yaml:
xpack:
security:
authc:
realms:
saml:
cloud-saml:
order: 2
attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
attribute_patterns.principal: "^([^@]+)@example\.com$"
attributes.groups: "groups"
idp.metadata.path: /app/config/saml/metadata.xml
idp.entity_id: "https://accounts.google.com/o/saml2?idpid=xxxxxxx"
sp.entity_id: "https://<MY_KIBANA_URL>:9243/"
sp.acs: "https://<MY_KIBANA_URL>:9243/api/security/v1/saml"
sp.logout: "https://<MY_KIBANA_URL>:9243/logout"

kibana.yaml
xpack.security.authc.providers: [saml,basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.authc.saml.realm: cloud-saml

Response from browser:
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}

SAML Response:
</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">myusername@example.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="responseID" NotOnOrAfter="2019-10-09T18:18:25.399Z" Recipient="https://<MY_KIBANA_URL>:9243/api/security/v1/saml"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2019-10-09T18:08:25.399Z" NotOnOrAfter="2019-10-09T18:18:25.399Z"><saml2:AudienceRestriction><saml2:Audience>https://<MY_KIBANA_URL>:9243/</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2019-10-07T14:31:18.000Z" SessionIndex="sessionID"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>

Any ideas on what the issue could be?

Hi Brad

The error message you get is contained in our common SAML troubleshooting guide ( see point 4 ). It tells you to basically look at the logs as there will be something pointing to the error there.

You are not sharing your logs, but the configuration error is easy to spot in this case.

You have set

attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

which means that you configure elasticsearch to expect a SAML Attribute with name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress in the SAML Assertion. As you can see in the SAML Response you have posted, there is no such SAML Attribute sent by Google's IDP . As a matter of fact, your IDP doesn't send any attributes, but only a NameID, so you need to change your configuration to

 attributes.principal: nameid

Also please note that you have configured

attributes.groups: "groups"

but Google IDP doesn't send any SAML Attribute with name "groups" so nothing will be mapped to the groups user property in Elasticsearch and you won't be able to use any group based role mappings

Awesome!
attributes.principal: nameid
worked, thank you. One other question, it looks like Google SAML doesn't have a full name attribute, only first and last name. Is there a way to combine those attributes for
attributes.name?

Hi,

No, we don't unfortunately offer any feature that would allow you to post-process released attributes.