We have configured SAML for our Elasticsearch cluster running in Kubernetes.
when I hit the application URL, it redirects to IDP login (IDMS) but after logging in it shows "you are not authorized to use this application".
xpack.security.authc.realms.saml1: ### saml is for kibana
type: saml
order: 2 ### order in which it appears in the realm chain
idp.metadata.path: /usr/share/elasticsearch/config/saml/idp-metadata.xml
idp.entity_id: "AppleSSO"
sp.entity_id: "https://gbiobserver-events-dev.corp.apple.com"
sp.acs: "https://gbiobserver-events-dev.corp.apple.com:443/api/security/v1/saml"
sp.logout: "https://gbiobserver-events-dev.corp.apple.com:443/logout"
attributes.principal: "nameid:persistent"
attributes.groups: Groups
encryption.key: /usr/share/elasticsearch/config/saml-cert/tls.key
encryption.certificate: /usr/share/elasticsearch/config/saml-cert/tls.crt
We see all configurations looks correct in IDMS configuration. But still getting error while accessing. Looking forward for your assistance.
Then you need to fix the configuration in your IDP. This is not an issue with the Elastic stack nor something that can be solved be changing the elasticsearch/kibana configuration, but a missing configuration on your IDP side, please contact your IDP administrator
Hi Loannis,
Now I am able to successfully authenticate from saml as SAML Response I get successfully.
I have created below role and mapping also. I get below error in browser when I get kibana link.
I referred this in many of your posts related to this error but could not fix the issue.
{"message":"action [indices:data/read/search] is unauthorized for user [j_baskaran@domain.com]: [security_exception] action [indices:data/read/search] is unauthorized for user [j_baskaran@apple.com]","statusCode":403,"error":"Forbidden"}
Note: I am getting same error when I use inbuilt "kibana_user" role also.
Also,
"field" : {
"groups" : "20022489" => (tried with both group name and group id as I get group id from SAML Response metadata)
I can only assume , since you share no other information, that your role mappings are wrong . Maybe your user is not in the group 20022489, or your IDP doesnt send that information in the saml response message or the saml attribute they are using to convey this is not named Groups as your configuration assumes.
Hi Loannis,
I am able to resolve the issue. Actually i was not part of the group in UAT environment.
Now i added there and able to login kibana. Thanks for your assistance.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.