Kibana logout not working

Elango-mas · June 11, 2018, 2:37pm

Hi Experts,

I have Elasticsearch and kibana instances set for SSO with SAML realm setting.

#Elasticsearch.yml
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.saml1:
type: saml
order: 2
idp.metadata.path: saml/idp-metadata.xml
idp.entity_id: "https://vm00616.nui.com"
sp.entity_id: "https://ab304-1:5605/"
sp.acs: "https://ab304-1:5605/api/security/v1/saml"
#sp.logout: "https://ab304-1:5605/logout"
attributes.principal: "nameid:persistent"
#attributes.groups: "memberof"

#kibana.yml
xpack.security.authProviders: [saml]
server.xsrf.whitelist: [/api/security/v1/saml]

i am able to successfully login into kibana using SSO. But when I click logout button, it logs me in again.

I want the logout button to work or be hidden, share any pointer to do the same.

TimV · June 12, 2018, 3:58am

You have commented out the logout setting in Elasticsearch.
What happens when you turn it on?

Elango-mas · June 12, 2018, 8:33am

The same happens when the logout setting is enabled. It logs me in again

ikakavas · June 12, 2018, 1:01pm

Hello,

With the sp.logout commented out you are hitting : https://github.com/elastic/kibana/issues/18128 and with the option enabled, you are hitting : https://github.com/elastic/kibana/issues/18366

Single Logout behavior and UX is notoriously tricky for SAML implementations. That said, we plan on making the SLO behavior better and you can track our progress in the two issues above. In the meantime you can try the following workaround:

Set force_authn to true in your SAML realm configuration. This will effectively mean that your users will be prompted for authentication every time they hit the Identity Provider with a SAML Authn Request and this will break the infinite login cycle.

Elango-mas · June 13, 2018, 5:22am

Thanks for the information.

I set force_authn to true but still the same happens. It automatically logs me in.

#elasticsearch.yml
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.saml1:
type: saml
order: 2
idp.metadata.path: saml/idp-metadata.xml
idp.entity_id: "https://vm00616.nui.com"
sp.entity_id: "https://ab304-1:5605/"
sp.acs: "https://ab304-1:5605/api/security/v1/saml"
sp.logout: "https://ab304-1:5605/logout"
attributes.principal: "nameid:persistent"
#attributes.groups: "memberof"
force_authn: true

Am I missing something?

ikakavas · June 13, 2018, 6:49am

Hi

Sorry, for the wrong case I used for force_authn, glad you figured that out, I 'll edit this in the original post.

It's either your Identity Provider that doesn't conform to the SAML Specification or something else entirely is going on since the beginning.

Which SAML IdP implementation are you using?
It would be of much help if you could capture and share with us the series of requests and responses from your browser in order to get a clear idea on what happens when you click 'Logout'. You can use
- The developer console on chrome/firefox , with the network tab and the persist logs option enabled.
- Any browser plugin of your choice
- A local proxy like burp, or mitmproxy

Elango-mas · June 14, 2018, 6:34am

Thank you!

ikakavas · June 14, 2018, 8:28am

You're welcome. I assume that you now get a behavior closer to what you want? What was the issue with force_authn after all ? Please share how your problem was solved ( assuming it is ) so that other people use this.

Elango-mas · June 14, 2018, 9:43am

Hi ikakavas,

We haven't resolved the issue yet, but trying to get things done. I will post the solution if it gets resolved.
The pictures are from the Chrome log as you have asked

I have a txt file with full detail on each log in the pictures, but i am not able to upload txt file. How to do?

Please go through and update you understanding!

ikakavas · June 14, 2018, 9:56am

Hi again,

It looks like your Identity Provider doesn't honor the force_authn we set in the SAML Request. If you look at

At this point you should get prompted for authentication from your IdP instead of returning back to Kibana. Can you share the details ( headers and body ) from these 3 requests ? (You can use the </> button to format it )

What is the IDP you are using ?

rshetty · June 26, 2018, 8:16am

Hi ikakavas,

I'm Elango's colleague. The IDP being used is Ping Fedrate.

ikakavas · June 26, 2018, 8:33am

Hi, thanks. PIng Identity should be honoring the forceAuthn=true in the SAML AuthnRequest. Do you also see the behavior of being reauthenticating back to Kibana?

Just to be clear, we are investigating if setting force_authn is acceptable to you as a workaround for breaking up the redirection and re-authentication loop until this behavior can be further enhanced in Kibana. What should happen if you enable force_authn is that when you click on logout in Kibana, you will end up on your authentication page in Ping Federate instead of being automatically redirected to Kibana and reauthenticated. (Note that if you do manually authenticate again in Ping Federate, you will also be redirected back to Kibana as authenticated user ).

system · July 24, 2018, 8:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logout button for kibana with backend saml realm Kibana	4	1932	August 20, 2019
SSO\SAML auth failure Kibana elastic-stack-security	6	670	July 9, 2019
Elastic Cloud SAML SSO in 'trial' environment Elasticsearch elastic-stack-security	15	845	March 23, 2023
Elasticsearch SAML2.0 and ADFS - Signature validation issue with single logout Elasticsearch elastic-stack-security	5	1341	August 30, 2019
Active Kibana session error with SAML implemented when trying to login (Solved) Elasticsearch	1	924	April 2, 2019

Kibana logout not working

Related topics