Hi,
I met an error after enable SSO function when I login kibana.
The kibana login page detail below error message, I don't know how to fix it.
{"statusCode":400,"error":"Bad Request","message":""utf8" is not allowed. "authenticity_token" is not allowed","validation":{"source":"payload","keys":["utf8","authenticity_token"]}}
Could you provide the steps you've used to enable SSO in Kibana? Did you have any sort of security prior to SSO?
@lukas
Below are my steps:
bin/elasticsearch-certutil cert ca --pem --in ~/tmp/cert_blog/instance.yml --out ~/tmp/cert_blog/certs2.zip" to generate cert.node.name: node1
network.host: node1.elastic.test.com
xpack.ssl.key: certs/node1.key
xpack.ssl.certificate: certs/node1.crt
xpack.ssl.certificate_authorities: certs/ca.crt
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key: certs/node1.key
xpack.security.http.ssl.certificate: certs/node1.crt
xpack.security.http.ssl.certificate_authorities: certs/ca.crt
discovery.zen.ping.unicast.hosts: [ 'node1.elastic.test.com', 'node2.elastic.test.com']
node.max_local_storage_nodes: 2
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.saml1:
type: saml
order: 2
idp.metadata.path: saml/metadata.xml
idp.entity_id: "*********.com"
sp.entity_id: "https://*.*.*.*:5601"
sp.acs: "https://*.*.*.*:5601/api/security/v1/saml"
sp.logout: "https://*.*.*.*:5601/logout"
attributes.principal: "nameid:persistent"
attributes.groups: "roles"
server.port: 5601
xpack.security.enabled: true
server.name: "my-kibana"
server.host: "*.*.*.*"
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/config/certs/my-kibana.crt
server.ssl.key: /etc/kibana/config/certs/my-kibana.key
elasticsearch.url: "https://node1.elastic.test.com:9200"
elasticsearch.username: "kibana"
elasticsearch.password: "*****"
elasticsearch.ssl.verificationMode: certificate
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/config/certs/ca.crt" ]
logging.dest: /var/log/kibana.log
xpack.security.authProviders: [saml, basic]
server.xsrf.whitelist: [/api/security/v1/saml]
other steps:
upload IDP metadata XML file to ES cluster and upload SP matedata XML file to IDP.
Result:
When I access URL: "https://*.*.*.*:5601", it can redirect to IDP server, but after I entered email address and password.
Kibana login page shows above error message.
Version: 6.7.0 trial license
Many thanks!
You IdP sends two unrecognized parameters (utf8 and authenticity_token), that the Kibana SAML callback rejects. is there a way to configure the IdP to not send these parameters?
@matw thanks fro your help.
I didn't find the way to configure these parameters.
I pick out Kibana server log:
{
"type": "response",
"@timestamp": "2019-10-21T03:23:16Z",
"tags": ,
"pid": 8044,
"method": "post",
"statusCode": 400,
"req": {
"url": "/api/security/v1/saml",
"method": "post",
"headers": {
"host": "ip:5601",
"connection": "keep-alive",
"content-length": "6940",
"cache-control": "max-age=0",
"origin": "https://idp-server",
"upgrade-insecure-requests": "1",
"content-type": "application/x-www-form-urlencoded",
"user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36",
"sec-fetch-mode": "navigate",
"accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3",
"sec-fetch-site": "cross-site",
"referer": "https://idp-server/saml2/idp/sso/idp-server?SAMLRequest=hVLLTuMwFP0Vy%2FvEj6SQWE1RhwpRCWYqGljMZnTjmMFSYgdfpwx%2FP6GPEbMpW%2Fu8dM6dX%2F3pO7IzAa13FRUpp8Q47Vvrflf0sb5JCnq1mCP0nRzUcowv7sG8jgYjmYgO1eGnomNwygNaVA56gypqtV3e3ymZcjUEH732HSVLRBPiZHXtHY69CVsTdlabx4e7ir7EOKBiLL9MBc9SyWUqylLNLrhgMFiGRo%2FBxne2E%2BzDlpLVlMM6iPvsJzp0Vnd%2BbFPQ2o8uYupda3pwbap9v2dKZtuBIfovwJSsVxX91UpeZAAGCg5Fw6HVQpdl0V5mRkDemOZCQjbLmgmOOJq1wwguVlRyUSaCJ1LUPFNSqnyW5nn%2Bk5LNsZFv1h2aPldfcwChuq3rTbL5sa0peTotNgHocR%2B1dw%2BfhzkvDKc16OJM93P2Wf3fLXyf5NarjZ8KfCfLrvNv18FANBV9hg4NJTc%2B9BDPJ%2Fh4sW3yvIeqGMChNS5Stji6%2Fn9zi78%3D",
"accept-encoding": "gzip, deflate, br",
"accept-language": "en-US,en;q=0.9"
},
"remoteAddress": "*.*.*.*",
"userAgent": "*.*.*.*",
"referer": "https://idp-server/saml2/idp/sso/idp-server?SAMLRequest=hVLLTuMwFP0Vy%2FvEj6SQWE1RhwpRCWYqGljMZnTjmMFSYgdfpwx%2FP6GPEbMpW%2Fu8dM6dX%2F3pO7IzAa13FRUpp8Q47Vvrflf0sb5JCnq1mCP0nRzUcowv7sG8jgYjmYgO1eGnomNwygNaVA56gypqtV3e3ymZcjUEH732HSVLRBPiZHXtHY69CVsTdlabx4e7ir7EOKBiLL9MBc9SyWUqylLNLrhgMFiGRo%2FBxne2E%2BzDlpLVlMM6iPvsJzp0Vnd%2BbFPQ2o8uYupda3pwbap9v2dKZtuBIfovwJSsVxX91UpeZAAGCg5Fw6HVQpdl0V5mRkDemOZCQjbLmgmOOJq1wwguVlRyUSaCJ1LUPFNSqnyW5nn%2Bk5LNsZFv1h2aPldfcwChuq3rTbL5sa0peTotNgHocR%2B1dw%2BfhzkvDKc16OJM93P2Wf3fLXyf5NarjZ8KfCfLrvNv18FANBV9hg4NJTc%2B9BDPJ%2Fh4sW3yvIeqGMChNS5Stji6%2Fn9zi78%3D"
},
"res": {
"statusCode": 400,
"responseTime": 54,
"contentLength": 9
},
"message": "POST /api/security/v1/saml 400 54ms - 9.0B"
}
staus code 400 when call "https:/*.*.*.*/api/security/v1/saml"
What IDP do you use?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.