Kibana and Azure SSO

Gerrard · March 16, 2021, 9:06am

I'm trying to get Kibana (on elastic.co) working with Azure SSO. I've followed numerous "guides" on this, and ADFS and setting up SSO in general, and just can't figure it out.
We're using elasticsearch 7.11.1, and getting this error when I try logging in using SSO

{"error":"no handler found for uri [/api/security/v1/saml] and method [POST]"}

Here's my elasticsearch.yml

xpack:
  security:
    authc:
      realms:
        saml: 
          saml-domain: 
            order: 2
            attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" 
            attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" 
            idp.metadata.path: "https://login.microsoftonline.com/bd846b68-132a-4a46-b1e7-d090e168c0a2/federationmetadata/2007-06/federationmetadata.xml?appid=3962977d-6a05-4ee3-baf7-454d6ecfbd87"
            idp.entity_id: "https://sts.windows.net/bd846b68-132a-4a46-b1e7-d090e168c0a2/"
            sp.entity_id: "https://72a36483719446dfbfc45d105071b697.eu-west-2.aws.cloud.es.io:9243/"
            sp.acs: "https://72a36483719446dfbfc45d105071b697.eu-west-2.aws.cloud.es.io:9243/api/security/v1/saml"
            sp.logout: "https://72a36483719446dfbfc45d105071b697.eu-west-2.aws.cloud.es.io:9243/logout"

and my kibana.yml

xpack.security.authc.providers:
  saml.saml1:
    order: 0
    realm: saml-domain
    description: "Log in with AzureSSO" 
  basic.basic1:
    order: 1
server.xsrf.whitelist: [/api/security/v1/saml]

ikakavas · March 16, 2021, 6:38pm

Hi there,

If you point us to these numerous guides and tell us what didn't work for you, we'll do our best to make them better ( assuming you are talking about our documentation) !

We don't have docs specifically for Azure AD for now, but you can follow through this doc which is applicable to any SAML IDP.

In particular, it seems to be the case that you are using your Elasticsearch endpoint when constructing values for sp.acs, sp.entity_id and sp.logout, where you should be using your Kibana endpoint. Take a look at the doc, above, it should have more detail

Gerrard · March 17, 2021, 2:09pm

Thanks, and this was a proper "Doh!" moment. The endpoint URLs are so similar I hadn't realised I was using the wrong one:
Elasticsearch: https://72a36483719446dfbfc45d105071b697...
Kibana: https://7deb637535ff454b8d62b7be9e89e7e7...

Articles I've tried:
Secure your clusters with SAML | Elasticsearch Service Documentation | Elastic

How to configure Elasticsearch SAML authentication with ADFS | Elastic Blog

SAML based Single Sign-On with Elasticsearch and Azure Active Directory | Elastic Blog

After using the correct URLs I started getting a different message which appeared to be something to do with group membership - "You do not have permission to access the requested page"

I have two Azure AD security groups setup - Kibana-Admins & Kibana-Users
(I'm a member of "Kibana-Admins")

I have the following Kibana role_mapping (GET /_xpack/security/role_mapping)

{
  "CLOUD_SAML_Kibana-Admins_TO_SUPERUSER" : {
    "enabled" : true,
    "roles" : [
      "superuser"
    ],
    "rules" : {
      "all" : [
        {
          "field" : {
            "realm.name" : "saml-domain"
          }
        },
        {
          "field" : {
            "groups" : "Kibana-Admins"
          }
        }
      ]
    },
    "metadata" : { }
  },
  "CLOUD_SAML_Kibana-Users_TO_Kibana_user" : {
    "enabled" : true,
    "roles" : [
      "kibana_user"
    ],
    "rules" : {
      "all" : [
        {
          "field" : {
            "realm.name" : "saml-domain"
          }
        },
        {
          "field" : {
            "groups" : "Kibana-Users"
          }
        }
      ]
    },
    "metadata" : { }
  },

The final step was to enable kibana logging and check what attributes were being passed through from Azure.
I realised that the group attribute was missing.
After re-configuring the EntApp claims (adding a new group claim and setting it to "Groups assigned to the application", with source attribute being "sAMAccountName") I was finally able to log in successfully.

Thank you.

system · April 14, 2021, 2:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana Azure AD SSO Authentication Kibana	2	360	January 3, 2024
Kibana SAML implementation issues Kibana	10	2588	October 10, 2018
Unable to enable saml for cloud deployment with Azure Kibana elastic-stack-security	6	329	January 11, 2023
ElasticSearch Error When Integrating with Azure AD for SSO Capabilities Elasticsearch elastic-stack-security	13	1631	April 18, 2019
Azure AD Kibana Kibana elastic-stack-security	2	435	December 2, 2019

Kibana and Azure SSO

Related topics