Kibana logout not working


(Prince) #1

Hi Experts,

I have Elasticsearch and kibana instances set for SSO with SAML realm setting.

#Elasticsearch.yml
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.saml1:
type: saml
order: 2
idp.metadata.path: saml/idp-metadata.xml
idp.entity_id: "https://vm00616.nui.com"
sp.entity_id: "https://ab304-1:5605/"
sp.acs: "https://ab304-1:5605/api/security/v1/saml"
#sp.logout: "https://ab304-1:5605/logout"
attributes.principal: "nameid:persistent"
#attributes.groups: "memberof"

#kibana.yml
xpack.security.authProviders: [saml]
server.xsrf.whitelist: [/api/security/v1/saml]

i am able to successfully login into kibana using SSO. But when I click logout button, it logs me in again.

I want the logout button to work or be hidden, share any pointer to do the same.


(Tim Vernum) #2

You have commented out the logout setting in Elasticsearch.
What happens when you turn it on?


(Prince) #3

The same happens when the logout setting is enabled. It logs me in again


(Ioannis Kakavas) #4

Hello,

With the sp.logout commented out you are hitting : https://github.com/elastic/kibana/issues/18128 and with the option enabled, you are hitting : https://github.com/elastic/kibana/issues/18366

Single Logout behavior and UX is notoriously tricky for SAML implementations. That said, we plan on making the SLO behavior better and you can track our progress in the two issues above. In the meantime you can try the following workaround:

Set force_authn to true in your SAML realm configuration. This will effectively mean that your users will be prompted for authentication every time they hit the Identity Provider with a SAML Authn Request and this will break the infinite login cycle.


(Prince) #5

Thanks for the information.

I set force_authn to true but still the same happens. It automatically logs me in.

#elasticsearch.yml
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.saml1:
type: saml
order: 2
idp.metadata.path: saml/idp-metadata.xml
idp.entity_id: "https://vm00616.nui.com"
sp.entity_id: "https://ab304-1:5605/"
sp.acs: "https://ab304-1:5605/api/security/v1/saml"
sp.logout: "https://ab304-1:5605/logout"
attributes.principal: "nameid:persistent"
#attributes.groups: "memberof"
force_authn: true

Am I missing something?


(Ioannis Kakavas) #6

Hi

Sorry, for the wrong case I used for force_authn, glad you figured that out, I 'll edit this in the original post.

It's either your Identity Provider that doesn't conform to the SAML Specification or something else entirely is going on since the beginning.

  • Which SAML IdP implementation are you using?
  • It would be of much help if you could capture and share with us the series of requests and responses from your browser in order to get a clear idea on what happens when you click 'Logout'. You can use
    • The developer console on chrome/firefox , with the network tab and the persist logs option enabled.
    • Any browser plugin of your choice
    • A local proxy like burp, or mitmproxy

(Prince) #7

Thank you!


(Ioannis Kakavas) #8

You're welcome. I assume that you now get a behavior closer to what you want? What was the issue with force_authn after all ? Please share how your problem was solved ( assuming it is ) so that other people use this.


(Prince) #9

Hi ikakavas,

We haven't resolved the issue yet, but trying to get things done. I will post the solution if it gets resolved.
The pictures are from the Chrome log as you have asked




I have a txt file with full detail on each log in the pictures, but i am not able to upload txt file. How to do?

Please go through and update you understanding!


(Ioannis Kakavas) #10

Hi again,

It looks like your Identity Provider doesn't honor the force_authn we set in the SAML Request. If you look at

At this point you should get prompted for authentication from your IdP instead of returning back to Kibana. Can you share the details ( headers and body ) from these 3 requests ? (You can use the </> button to format it )

What is the IDP you are using ?


(R Shetty) #11

Hi ikakavas,

I'm Elango's colleague. The IDP being used is Ping Fedrate.


(Ioannis Kakavas) #12

Hi, thanks. PIng Identity should be honoring the forceAuthn=true in the SAML AuthnRequest. Do you also see the behavior of being reauthenticating back to Kibana?

Just to be clear, we are investigating if setting force_authn is acceptable to you as a workaround for breaking up the redirection and re-authentication loop until this behavior can be further enhanced in Kibana. What should happen if you enable force_authn is that when you click on logout in Kibana, you will end up on your authentication page in Ping Federate instead of being automatically redirected to Kibana and reauthenticated. (Note that if you do manually authenticate again in Ping Federate, you will also be redirected back to Kibana as authenticated user ).


(system) #13

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.