I'm trying to get Kibana (on elastic.co) working with Azure SSO. I've followed numerous "guides" on this, and ADFS and setting up SSO in general, and just can't figure it out.
We're using elasticsearch 7.11.1, and getting this error when I try logging in using SSO
{"error":"no handler found for uri [/api/security/v1/saml] and method [POST]"}
If you point us to these numerous guides and tell us what didn't work for you, we'll do our best to make them better ( assuming you are talking about our documentation) !
We don't have docs specifically for Azure AD for now, but you can follow through this doc which is applicable to any SAML IDP.
In particular, it seems to be the case that you are using your Elasticsearch endpoint when constructing values for sp.acs, sp.entity_id and sp.logout, where you should be using your Kibana endpoint. Take a look at the doc, above, it should have more detail
After using the correct URLs I started getting a different message which appeared to be something to do with group membership - "You do not have permission to access the requested page"
I have two Azure AD security groups setup - Kibana-Admins & Kibana-Users
(I'm a member of "Kibana-Admins")
I have the following Kibana role_mapping (GET /_xpack/security/role_mapping)
The final step was to enable kibana logging and check what attributes were being passed through from Azure.
I realised that the group attribute was missing.
After re-configuring the EntApp claims (adding a new group claim and setting it to "Groups assigned to the application", with source attribute being "sAMAccountName") I was finally able to log in successfully.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.