Hello,
I am trying to setup Kibana Authentication with Azure AD SSO and getting this error. What will be the cause of that error?
My server has connection to login.microsoftonline.com and can fetch federation xml.
Elasticsearch version is 8.11
I followed the Documentation and added the below lines to elasticsearch.yml. All setup at Azure is same as documentation.
xpack.security.authc.realms.saml.kibana-realm:
order: 2
attributes.principal: nameid
attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
idp.metadata.path: "https://login.microsoftonline.com/36de9075-00fd-4382-bce5-f43274a4881e/federationmetadata/2007-06/federationmetadata.xml?appid=c71909a2-2791-4271-88c2-0ad7e359823d"
idp.entity_id: "https://sts.windows.net/36de9075-00fd-4382-bce5-f43274a4881e"
sp.entity_id: "https://xxxxxxx"
sp.acs: "https://xxxxxxx/api/security/saml/callback"
sp.logout: "https://xxxxxxx/logout"
{"statusCode":500,"error":"Internal Server Error","message":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: Cannot get role descriptors [type/name={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor] because the metadata [location=https://login.microsoftonline.com/36de9075-00fd-4382-bce5-f43274a4881e/federationmetadata/2007-06/federationmetadata.xml?appid=c71909a2-2791-4271-88c2-0ad7e359823d] for SAML entity [id=https://sts.windows.net/36de9075-00fd-4382-bce5-f43274a4881e] could not be resolved]: Cannot get role descriptors [type/name={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor] because the metadata [location=https://login.microsoftonline.com/36de9075-00fd-4382-bce5-f43274a4881e/federationmetadata/2007-06/federationmetadata.xml?appid=c71909a2-2791-4271-88c2-0ad7e359823d] for SAML entity [id=https://sts.windows.net/36de9075-00fd-4382-bce5-f43274a4881e] could not be resolved"}