Issue connecting google saml with es stack

Hello,

I had been trying to get Kibana to work with SAML authentication, but with no luck.

[2018-08-16T21:54:02,824][WARN ][o.e.x.s.a.AuthenticationService] [ip-x-x-x-x-ip-x-x-x-x.ec2.internal] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[Conditions [https://accounts.google.com/o/sa...] do not match required audience [https://kibana6.qa.internal:80/]])

Thanks,
Ashok

Here's my settings below:

Kibana Config

server.port: 80
server.host: "0.0.0.0"

elasticsearch.username: kibana
elasticsearch.password: <*******>

xpack.security.authProviders: [saml,basic]
server.xsrf.whitelist: [/api/security/v1/saml]

server.ssl.enabled: true
server.ssl.key: /pathtokey
server.ssl.certificate: /path to cert

elasticsearch.ssl.verificationMode: certificate
elasticsearch.ssl.certificateAuthorities: /pathtocertificatepem file
xpack.security.encryptionKey: "************

ES Config

bootstrap.memory_lock: true
cluster.name: es_qa_std

discovery.ec2.tag.designation: std

discovery.ec2.tag.environment: qa

discovery.ec2.tag.role: elasticsearch6

discovery.zen.hosts_provider: ec2

network.host: x.x.x.x

node.name: ip-x-x-x-x.ec2.internal

path.data: "/mnt/elasticsearch/ip-x-x-x-x.ec2.internal_data/ip-x-x-x-x.ec2.internal"

path.logs: "/var/log/elasticsearch/ip-x-x-x-x.ec2.interna"

node.max_local_storage_nodes: 2

xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true

xpack.security.transport.ssl.verification_mode: certificate

xpack.security.transport.ssl.certificate: es1.crt

xpack.security.transport.ssl.key: es1.key

xpack.security.transport.ssl.certificate_authorities: ca.crt

xpack.security.http.ssl.enabled: true

xpack.security.http.ssl.verification_mode: certificate

xpack.security.http.ssl.certificate: es1.crt

xpack.security.http.ssl.key: es1.key
xpack.security.http.ssl.certificate_authorities: ca.crt

xpack.security.authc.realms.native1:
type: native
order: 0

xpack.security.authc.realms.saml1:
type: saml
order: 1
idp.metadata.path: saml/idp-metadata.xml
idp.entity_id: "https://accounts.google.com/o/saml2?idpid=xxxxxxx"
sp.entity_id: "https://kibana6.qa.internal:80/"
sp.acs: "https://kibana6.qa.internal:80/api/security/v1/saml"
sp.logout: "https://kibana6.qa.internal:80/logout"
attributes.principal: "nameid:persistent"

Please use the </> button for preformatted text when adding configuration and log snippets as it really helps readability.

It looks like the Identity Provider is sending a wrong value in the Audience element of <AudienceRestriction> in the Conditions of the SAML Assertion, so I assume you have set the wrong value when configuring your managed Google account for SSO.
This should be the EntityID of the the Elastic Stack SAML SP ( that is https://kibana6.qa.internal:80 according to your configuration ) and not a URL pointing to Google ( as it looks like now )

Take a look at Set up your own custom SAML app - Google Workspace Admin Help . In Set up your own custom SAML app step 8, make sure you enter the correct values for ACS URL ( it should match sp.acs of your SAML Realm configuration) and Entity ID ( it should match sp.entity_id of your SAML Realm configuration)

Thanks for the suggestion @ikakavas.

Now i am getting this error.

[2018-08-17T16:14:36,475][WARN ][o.e.x.s.a.AuthenticationService] [ip-x-x-x-x-ip-x-x-x-x.ec2.internal] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[Conditions [https://kibana6.qa.interna...] do not match required audience [https://kibana6.qa.internal:80/]])

Still the same issue. You set something as a value in Entity ID in your Google SAML Configuration that is not the same as what you set as sp.entity_id in your SAML realm in Elasticsearch.

These look like URLs but are matched as strings, so trailing slashes, added ( default ) port numbers make a difference. The two values need to be exactly the same.

Thanks @ikakavas. The above issue is resolved. Now i am trying to setup the attributes in IdP. We are using google gsuite.

And in my elasticsearch config, i am using attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

This is what i am seeing now [2018-08-17T18:03:37,609][WARN ][o.e.x.s.a.AuthenticationService] [ip-x-x-x-x-ip-x-x-x-x.ec2.internal] Authentication to realm saml1 failed - SAML Attribute [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress] for [attributes.principal] not found in [principal=[ashok@mycompany.com]]

Hello,

Its working now after replacing principal in Google IdP to urn:oid:0.9.2342.19200300.100.1.1

Thanks,
Ashok

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.