GSuite SAML integration for ElasticCloud return 401

Vincent_Ngai · December 29, 2018, 10:36am

I am using ElasticCloud and version in v6.5.4 , would like some help in here...

What i wanna to do
Using Gsuite and email as Kibana login

Follow Post (https://www.elastic.co/guide/en/cloud/release-ms-14/ec-securing-clusters-SAML.html )edit elasticsearch.yml and kibana.yml

i added config in elasticsearch.yml

xpack:
security:
authc:
realms:
cloud-saml:
type: saml
order: 2
attributes.principal: "urn:oid:0.9.2342.19200300.100.1.1"
attributes.groups: "urn:oid:1.3.6.1.4.1.5923.1.5.1."
idp.metadata.path: "Gsuite meta xml file in AWS S3 Bucket with Public Access "
idp.entity_id: "https://accounts.google.com/o/saml2?idpid=MYID"
sp.entity_id: "https://MY_KIBANA_URL:9243/"
sp.acs: "https://MY_KIBANA_URL:9243/api/security/v1/saml"
sp.logout: "https://MY_KIBANA_URL:9243/logout"

i added config in kibana.yml

xpack.security.authProviders: [saml]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.public:
protocol: https
hostname: KIBANA_URL (Without https and port number)
port: 9243

Symptoms

Access Kibana url
Redirect to Google Login Page
Redirect back to Kibana url
Appear 401 error and no error appear in elasticcloud logs

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [] for action [cluster:admin/xpack/security/saml/authenticate],
with { header={ WWW-Authenticate={ 0="Bearer realm=\"security\"" & 1="Basic realm=\"security\" charset=\"UTF-8\"" } } } :: {"path":"/_xpack/security/saml/authenticate","query":{},"body":"{\"ids\":[\"_xxxxxxxxxxxxxxxx\"],\"content\":\"SOME_LONG_CONTENT\"}","statusCode":401,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"unable to authenticate user [] for action [cluster:admin/xpack/security/saml/authenticate]\",\"header\":{\"WWW-Authenticate\":[\"Bearer realm=\\\"security\\\"\",\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"]}}],\"type\":\"security_exception\",\"reason\":\"unable to authenticate user [] for action [cluster:admin/xpack/security/saml/authenticate]\",\"header\":{\"WWW-Authenticate\":[\"Bearer realm=\\\"security\\\"\",\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"]}},\"status\":401}","wwwAuthenticateDirective":"Bearer realm=security, Basic realm=\"security\" charset=\"UTF-8\""}"}

ikakavas · December 29, 2018, 11:14am

Hi,

The above error means that Elasticsearch can't validate or verify the response it gets from the SAML IDP. I would expect to see something regarding that in the elasticsearch logs, are you sure there is nothing in your logs under Deployment name -> Elasticsearch -> Logs ?

Without sharing your logs, we can only guess based on previous experience that the culprit seems to be the trailing slash in the configuration of the SP EntityID :

sp.entity_id: "https://MY_KIBANA_URL:9243/"

Check how you have configured the Entity ID field in the Service Provider details page in your GSuite configuration and make sure that either both have the trailing slash, or none has it.

Vincent_Ngai · December 29, 2018, 11:28am

Hi,

I do want provide logs , problem is all of my elasticcloud Logs show me is INFO level not ERROR and WARN level during my try access to Kiabana(means when i access kiabana and show up 401 , but elasticcloud did not have related logs show up)
or do you know what is keyword i can try search in log ?

and I double check both elasticsearch.yml and Gsuite side Entity ID does config
"https://MY_KIBANA_URL:9243/" they both have the slash at the end

Thanks

ikakavas · December 29, 2018, 11:40am

Anything with the word SAML would do.

If for some reason you can't access your logs from the cloud UI, then I think it might be best to contact your support engineer and let them know of the issue. Feel free to mention this thread when you contact them, and we can try and figure this out internally.

system · January 26, 2019, 11:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.