Kibana- not able to login using saml

We have configured SAML for our Elasticsearch cluster running in Kubernetes.
when I hit the application URL, it redirects to IDP login (IDMS) but after logging in it shows "you are not authorized to use this application".

Below the configuration in kibana:

kibana

kibana.yml: |
server:
host: 0.0.0.0
xpack.security.enabled: true
server.ssl.enabled: true
server.ssl.key: /usr/share/kibana/config/tls_server/key.pem
server.ssl.certificate: /usr/share/kibana/config/tls_server/crt.pem
xpack.security.public:
protocol: https
hostname: {hostname}
port: 443
elasticsearch.url: "https://es-coordinating.{namespace}.svc.lb.{ APC_CLUSTER_NAME}.applecloud.io:443"
elasticsearch.username: elastic
elasticsearch.password: *******
elasticsearch.ssl.certificateAuthorities: /usr/share/kibana/config/tls_server/crt.pem

 xpack.monitoring.enabled: true
xpack.monitoring.kibana.collection.enabled: true
xpack.monitoring.ui.enabled: false
logging.dest: /var/log/kibana.log  
xpack.security.authProviders: [saml]		
server.xsrf.whitelist: [/api/security/v1/saml]

Elasticsearch configuration:*

xpack.security.authc.realms.saml1: ### saml is for kibana
  type: saml
  order: 2 ###  order in which it appears in the realm chain
  idp.metadata.path: /usr/share/elasticsearch/config/saml/idp-metadata.xml
  idp.entity_id: "AppleSSO"
  sp.entity_id: "https://gbiobserver-events-dev.corp.apple.com"
  sp.acs: "https://gbiobserver-events-dev.corp.apple.com:443/api/security/v1/saml"
  sp.logout: "https://gbiobserver-events-dev.corp.apple.com:443/logout"
  attributes.principal: "nameid:persistent"
  attributes.groups: Groups
  encryption.key: /usr/share/elasticsearch/config/saml-cert/tls.key
  encryption.certificate: /usr/share/elasticsearch/config/saml-cert/tls.crt

We see all configurations looks correct in IDMS configuration. But still getting error while accessing. Looking forward for your assistance.

We cover this exactly in our docs

Hi ,
Thanks for your reply.
I already added below mapping for saml.

PUT /_security/role_mapping/saml-kibana
{
"roles": [ "kibana_user" ],
"enabled": true,
"rules": { "all": [
{ "field": { "realm.name": "saml1" } },
{ "field": { "groups": "Group-name" } }
] }
}

What shows that ? Is it kibana or your IDP ?

Error from IDP. from below link
https://idmsac-uat.corp.apple.com/ssotokenverify

Please find attached screenshot for it.

Then you need to fix the configuration in your IDP. This is not an issue with the Elastic stack nor something that can be solved be changing the elasticsearch/kibana configuration, but a missing configuration on your IDP side, please contact your IDP administrator

Ok. Thankyou.
I will check and get back to you.

Hi Loannis,
Now I am able to successfully authenticate from saml as SAML Response I get successfully.
I have created below role and mapping also. I get below error in browser when I get kibana link.
I referred this in many of your posts related to this error but could not fix the issue.

{"message":"action [indices:data/read/search] is unauthorized for user [j_baskaran@domain.com]: [security_exception] action [indices:data/read/search] is unauthorized for user [j_baskaran@apple.com]","statusCode":403,"error":"Forbidden"}

Role:

{
"saml-kibana-role" : {
"cluster" : [
"monitor"
],
"indices" : [
{
"names" : [
"*"
],
"privileges" : [
"read"
],
"allow_restricted_indices" : false
}
],
"applications" : ,
"run_as" : [
"saml_user"
],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
}
}

role_mapping:

{
"saml-kibana" : {
"enabled" : true,
"roles" : [
"saml-kibana-role"
],
"rules" : {
"all" : [
{
"field" : {
"realm.name" : "saml1"
}
},
{
"field" : {
"groups" : "20022489"
}
},
{
"field" : {
"username" : "j_baskaran@apple.com"
}
}
]
},
"metadata" : { }
}
}

Note: I am getting same error when I use inbuilt "kibana_user" role also.
Also,
"field" : {
"groups" : "20022489" => (tried with both group name and group id as I get group id from SAML Response metadata)

Kindly check and advise

I can only assume , since you share no other information, that your role mappings are wrong . Maybe your user is not in the group 20022489, or your IDP doesnt send that information in the saml response message or the saml attribute they are using to convey this is not named Groups as your configuration assumes.

Please see here https://www.elastic.co/guide/en/elasticsearch/reference/current/trb-security-saml.html how to enable trace logging and the information that you see in these logs will hopefully help you understand what of the above is happening.

Hi Loannis,
I am able to resolve the issue. Actually i was not part of the group in UAT environment.
Now i added there and able to login kibana. Thanks for your assistance.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.