Kibana SAML authentication error

I'm using elastic cloud and I followed the link tutorial below to enable SAML authentication on Kibana, but I'm having a problem.

Documentation I have followed: https://www.elastic.co/guide/en/cloud/current/ec-securing-clusters-SAML.html

Error that I am recceing after I log in to IdP and am redirected back to my_host_kibana / api / security / v1 / saml

{clue: admin / xpack / security / saml / authenticate} [action_code: 401, "error": "Unauthorized", "message": "[security_exception] unable to authenticate user [<unauthenticated-saml- \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ n \ security \\\ "charset = \\\" UTF-8 \\\ "\"}}} "}

Elasticsearch configuration

xpack:
    security
        authc:
            realms:
                cloud-saml:
                    type: saml
                    order: 2
                    attributes.principal: "nameid:persistent"
                    attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
                    idp.metadata.path: "https://login.microsoftonline.com/4a39dff3-ff09-440b-b47b-8c603416bfce/federationmetadata/2007-06/federationmetadata.xml?appid=bdf10ffb-849e-4fd4-8038-335ed137c0aa"
                    idp.entity_id: "https://sts.windows.net/4a39dff3-ff09-440b-b47b-8c603416bfce/"
                    sp.entity_id: "https://8b64c0c41ede48bc9e907a5279089109.us-east-1.aws.found.io:9243"
                    sp.acs: "https://8b64c0c41ede48bc9e907a5279089109.us-east-1.aws.found.io:9243/api/security/v1/saml"
                    sp.logout: "https://8b64c0c41ede48bc9e907a5279089109.us-east-1.aws.found.io:9243/logout"

Setting up kibana

xpack.security.authProviders: [saml]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.public:
    protocol: https
    hostname: 8b64c0c41ede48bc9e907a5279089109.us-east-1.aws.found.io
    port: 9243

From what I saw the problem is with

attributes.principal:" nameid: persistent "

If I remove : persistent holding only nameid functions. Maybe I need to do some adjustment on the IdP side to accept the persistent, but I have no idea where yet, if anyone has a light.

Hey @leobaiano, when you're seeing unable to authenticate user in Kibana, per the SAML troubleshooting guide it's because:

This error indicates that Elasticsearch failed to process the incoming SAML authentication message. Since the message can’t be processed, Elasticsearch is not aware of who the to-be authenticated user is and the placeholder is used instead. To diagnose the actual problem, you must check the Elasticsearch logs for further details.

It is very possible that your attributes.principal is configured incorrectly. It all really depends on the IdP for what should be specified here per: Configure Elasticsearch for SAML authentication | Elasticsearch Guide [7.1] | Elastic. I'd suggest by checking your Elasticsearch logs before going down this path though.

Many thanks for the feedback, I did not set the attributes and kept the nameid on the main because it is default. As I'm working on a PoC I'll keep it that way for the moment, the idea is just to see if the solution we plan meets the needs and if so we go to the details and more advanced settings.

Thank you very much.

1 Like

We also explain about nameid and nameid:persistent in https://www.elastic.co/guide/en/elastic-stack-overview/7.1/saml-guide-authentication.html#_special_attribute_names , hope this is helpful

Thank you very much @ikakavas

I can not find where to mark the topic as resolved.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.