Kibana SAML authentication issue

Athul_Jayson · February 12, 2018, 7:09am

Hi,

I had been trying to get Kibana to work with SAML authentication, but to no avail.

Kibana Config

server.name: kibana
server.host: "0"

elasticsearch.url: https://192.168.99.100:9200
elasticsearch.username: elastic
elasticsearch.password: elastic

xpack.monitoring.ui.container.elasticsearch.enabled: true
xpack.monitoring.enabled: false
xpack.monitoring.elasticsearch.username: elastic
xpack.monitoring.elasticsearch.password: elastic
xpack.security.authProviders: [saml]
server.xsrf.whitelist: [/api/security/v1/saml]

server.ssl.enabled: true
server.ssl.key: /usr/share/keys/host.key
server.ssl.certificate: /usr/share/keys/host.cert

elasticsearch.ssl.verificationMode: certificate
elasticsearch.ssl.certificateAuthorities: [ "/usr/share/keys/certificate.pem" ]
xpack.security.encryptionKey: "something_at_least_32_characters_allrite_I_Will_Try"

Elastic Config

cluster.name: "docker-cluster"
network.host: 0.0.0.0

discovery.zen.minimum_master_nodes: 1
xpack.license.self_generated.type: trial

xpack.security.enabled: true

xpack.ssl.keystore.path: certs/elastic-certificates.p12
xpack.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.http.ssl.enabled: true

xpack.security.authc.token.enabled: true
xpack.security.authc.realms.saml1:
type: saml
order: 2
idp.metadata.path: "x-pack/elk-base-SAML-Auth0-IDP-metadata.xml"
idp.entity_id: "urn:auth0:elk-base:SAML-Auth0-IDP"
sp.entity_id: "https://192.168.99.100:5601"
sp.acs: "https://192.168.99.100:5601/api/security/v1/saml"
sp.logout: "https://192.168.99.100:5601/logout"
attributes.principal: "nameid:persistent"
attributes.groups: "roles"

xpack.security.authc.realms.native1:
type: native
order: 0

The error I am getting is :
kibana-x-pack | {"type":"log","@timestamp":"2018-02-12T07:02:36Z","tags":["info","authentication"],"pid":1,"message":"Authentication attempt failed: [security_exception] Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://0:5601/api/security/v1/saml}]"}

I followed the documentation but is stuck here.
Any help would be much appreciated.

TimV · February 12, 2018, 8:17am

Under your config, Kibana thinks that its ACS is
https://0:5601/api/security/v1/saml, but you've configured Elasticsearch with an ACS of https://192.168.99.100:5601/api/security/v1/saml

You've got 2 choices, you can change the server name in Kibana

server.host: "0"

Or set a public Kibana host (xpack.security.public.host) See Configuring Kibana | X-Pack for the Elastic Stack [6.2] | Elastic

Athul_Jayson · February 12, 2018, 8:58am

Thanks a lot. That worked!

But getting this error now :
kibana-x-pack | {"type":"log","@timestamp":"2018-02-12T08:40:23Z","tags":["info","authentication"],"pid":1,"message":"Authentication attempt failed: [exception] Cannot find [{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor]/[urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect] in descriptor [null]"}

Is something wrong with my idP metadata xml?

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="urn:auth0:elk-base:SAML-Auth0-IDP">
   <SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <KeyDescriptor use="encryption">
         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
               <ds:X509Certificate> </ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </KeyDescriptor>
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://elk-base.auth0.com/logout" />
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://elk-base.auth0.com/logout" />
      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://elk-base.auth0.com/login/callback?connection=SAML-Auth0-IDP" index="0" isDefault="true" />
   </SPSSODescriptor>
</EntityDescriptor>

TimV · February 12, 2018, 9:15am

Yes. It looks like it is a SP metadata file. It has the element SPSSODescriptor, but it needs to have IDPSSODescriptor. Are you sure that you downloaded the right file?

Athul_Jayson · February 13, 2018, 9:46am

Thanks Tim, I had the wrong metadata file!

Now I can login successfully using saml but getting this error message :

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" }

Do I have to create users in Kibana manually for this to work?

TimV · February 13, 2018, 10:23am

You're going to need to look at the elasticsearch logs to see what's caused that.
That error message is indicating that the SAML message was rejected by ES for some reason, but the reason will be in the log file (hopefully!)

My guess is that it will be an attribute mapping issue, but the logs will tell.

Athul_Jayson · February 13, 2018, 10:26am

I could see this in the ES logs,

[2018-02-13T10:24:18,622][INFO ][o.e.x.s.a.AuthenticationService] [UOQ1Up_] Authentication of [kibana] was terminated by realm [reserved] - failed to authenticate user [kibana

TimV · February 13, 2018, 10:30am

That's interesting, and very perculiar.
That's suggesting something is trying to authenticate as Kibana with the wrong password. I wouldn't expect that to be related to this problem but, it's surprising to see it there.

Any log messages for SamlRealm or SamlAuthenticator ?

Athul_Jayson · February 13, 2018, 10:33am

Couldnt find anything related to SAML in the logs, but ran into these lines :

elasticsearch-x-pack | [2018-02-13T10:24:19,660][INFO ][o.e.l.LicenseService     ] [UOQ1Up_] license [f763fe56-66a6-4537-9f56-3eb3e898d12c] mode [trial] - valid
elasticsearch-x-pack | [2018-02-13T10:24:19,676][INFO ][o.e.g.GatewayService     ] [UOQ1Up_] recovered [11] indices into cluster_state
elasticsearch-x-pack | [2018-02-13T10:24:21,097][ERROR][o.e.x.s.a.e.ReservedRealm] [UOQ1Up_] failed to retrieve password hash for reserved user [kibana]
elasticsearch-x-pack | org.elasticsearch.action.NoShardAvailableActionException: No shard available for [get [.security][doc][reserved-user-kibana]: routing [null]]

TimV · February 13, 2018, 11:17am

Hmm, I don't quite understand what's going on here.
The Kibana user is the one that exists for use by Kibana when it connects to Elasticsearch, but you've configured it to use elastic instead (which isn't a great idea, but also isn't the cause of this problem).

I'm going to check internally and see if there's an explanation.

azasypkin · February 13, 2018, 12:21pm

Hi @Athul_Jayson,

Hmm, Kibana shouldn't make any request on behalf of kibana user unless you specifically configured elasticsearch.username to use kibana. Could you please also share Kibana's security log (with logging.verbose: true) so that we can see where exactly request fails to know what piece of code tries to use that kibana user.

Thanks

Athul_Jayson · February 13, 2018, 1:30pm

@azasypkin This was due to some environment variable set in docker. Sorry for the false flag guys. Also, this error occurred as Kibana started before ES. Will have to do something about it.

Now, regarding attribute mapping, I could get fields like this from my IDP

Attributes:
http://schemas.auth0.com/created_at :Tue Feb 13 2018 09:43:41 GMT+0000 (UTC)
http://schemas.auth0.com/identities :[object Object]
http://schemas.auth0.com/nickname :athuljays

Will using an attribute such as nickname(http://schemas.auth0.com/nickname) as principal be sufficient ?

TimV · February 13, 2018, 11:22pm

Yes, as long as it's something that is good enough for you to uniquely identify the user, it's sufficient. It ends up in audit logs and stuff like that, and you can use it for role-mapping, but Elasticsearch doesn't use it for much else so as long as it's good enough for you, it's fine to use.

Athul_Jayson · February 14, 2018, 5:57am

elasticsearch-x-pack | [2018-02-14T05:51:01,047][WARN ][o.e.x.s.a.AuthenticationService] [UOQ1Up_] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[Conditions [urn:auth0:elk-base:SAML-Auth0-ID...] do not match required audience [https://192.168.99.100:5601]])

Getting this error now. What could be the reason?

Athul_Jayson · February 14, 2018, 6:18am

When I changed the SP entitiyId, the login went through. Thanks for all your help

TimV · February 14, 2018, 6:36am

No problem.
I'm glad you got it working - while we've tried to make the SAML setup as easy as possible, it's a protocol with a lot of inbuilt complexity that's hard to hide.

If there were areas of the documentation that you found confusing or hard to follow, please let us know.

system · March 14, 2018, 6:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.