Kibana SAML authentication issue


I had been trying to get Kibana to work with SAML authentication, but to no avail.

Kibana Config kibana "0"

elasticsearch.username: elastic
elasticsearch.password: elastic

xpack.monitoring.ui.container.elasticsearch.enabled: true
xpack.monitoring.enabled: false
xpack.monitoring.elasticsearch.username: elastic
xpack.monitoring.elasticsearch.password: elastic [saml]
server.xsrf.whitelist: [/api/security/v1/saml]

server.ssl.enabled: true
server.ssl.key: /usr/share/keys/host.key
server.ssl.certificate: /usr/share/keys/host.cert

elasticsearch.ssl.verificationMode: certificate
elasticsearch.ssl.certificateAuthorities: [ "/usr/share/keys/certificate.pem" ] "something_at_least_32_characters_allrite_I_Will_Try"

Elastic Config "docker-cluster"

discovery.zen.minimum_master_nodes: 1
xpack.license.self_generated.type: trial true

xpack.ssl.keystore.path: certs/elastic-certificates.p12
xpack.ssl.truststore.path: certs/elastic-certificates.p12 true certificate true true
type: saml
order: 2
idp.metadata.path: "x-pack/elk-base-SAML-Auth0-IDP-metadata.xml"
idp.entity_id: "urn:auth0:elk-base:SAML-Auth0-IDP"
sp.entity_id: ""
sp.acs: ""
sp.logout: ""
attributes.principal: "nameid:persistent"
attributes.groups: "roles"
type: native
order: 0

The error I am getting is :
kibana-x-pack | {"type":"log","@timestamp":"2018-02-12T07:02:36Z","tags":["info","authentication"],"pid":1,"message":"Authentication attempt failed: [security_exception] Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://0:5601/api/security/v1/saml}]"}

I followed the documentation but is stuck here.
Any help would be much appreciated.

Under your config, Kibana thinks that its ACS is
https://0:5601/api/security/v1/saml, but you've configured Elasticsearch with an ACS of

You've got 2 choices, you can change the server name in Kibana "0"

Or set a public Kibana host ( See Configuring Kibana | X-Pack for the Elastic Stack [6.2] | Elastic

1 Like

Thanks a lot. That worked!

But getting this error now :
kibana-x-pack | {"type":"log","@timestamp":"2018-02-12T08:40:23Z","tags":["info","authentication"],"pid":1,"message":"Authentication attempt failed: [exception] Cannot find [{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor]/[urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect] in descriptor [null]"}

Is something wrong with my idP metadata xml?

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="urn:auth0:elk-base:SAML-Auth0-IDP">
   <SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <KeyDescriptor use="encryption">
         <ds:KeyInfo xmlns:ds="">
               <ds:X509Certificate> </ds:X509Certificate>
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="" />
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" />
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" index="0" isDefault="true" />

Yes. It looks like it is a SP metadata file. It has the element SPSSODescriptor, but it needs to have IDPSSODescriptor. Are you sure that you downloaded the right file?

1 Like

Thanks Tim, I had the wrong metadata file!

Now I can login successfully using saml but getting this error message :

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" }

Do I have to create users in Kibana manually for this to work?

1 Like

You're going to need to look at the elasticsearch logs to see what's caused that.
That error message is indicating that the SAML message was rejected by ES for some reason, but the reason will be in the log file (hopefully!)

My guess is that it will be an attribute mapping issue, but the logs will tell.

I could see this in the ES logs,

[2018-02-13T10:24:18,622][INFO ][o.e.x.s.a.AuthenticationService] [UOQ1Up_] Authentication of [kibana] was terminated by realm [reserved] - failed to authenticate user [kibana

That's interesting, and very perculiar.
That's suggesting something is trying to authenticate as Kibana with the wrong password. I wouldn't expect that to be related to this problem but, it's surprising to see it there.

Any log messages for SamlRealm or SamlAuthenticator ?

Couldnt find anything related to SAML in the logs, but ran into these lines :

elasticsearch-x-pack | [2018-02-13T10:24:19,660][INFO ][o.e.l.LicenseService     ] [UOQ1Up_] license [f763fe56-66a6-4537-9f56-3eb3e898d12c] mode [trial] - valid
elasticsearch-x-pack | [2018-02-13T10:24:19,676][INFO ][o.e.g.GatewayService     ] [UOQ1Up_] recovered [11] indices into cluster_state
elasticsearch-x-pack | [2018-02-13T10:24:21,097][ERROR][o.e.x.s.a.e.ReservedRealm] [UOQ1Up_] failed to retrieve password hash for reserved user [kibana]
elasticsearch-x-pack | org.elasticsearch.action.NoShardAvailableActionException: No shard available for [get [.security][doc][reserved-user-kibana]: routing [null]]
1 Like

Hmm, I don't quite understand what's going on here.
The Kibana user is the one that exists for use by Kibana when it connects to Elasticsearch, but you've configured it to use elastic instead (which isn't a great idea, but also isn't the cause of this problem).

I'm going to check internally and see if there's an explanation.

Hi @Athul_Jayson,

Hmm, Kibana shouldn't make any request on behalf of kibana user unless you specifically configured elasticsearch.username to use kibana. Could you please also share Kibana's security log (with logging.verbose: true) so that we can see where exactly request fails to know what piece of code tries to use that kibana user.


@azasypkin This was due to some environment variable set in docker. Sorry for the false flag guys. Also, this error occurred as Kibana started before ES. Will have to do something about it.

Now, regarding attribute mapping, I could get fields like this from my IDP

Attributes: :Tue Feb 13 2018 09:43:41 GMT+0000 (UTC) :[object Object] :athuljays

Will using an attribute such as nickname( as principal be sufficient ?

Yes, as long as it's something that is good enough for you to uniquely identify the user, it's sufficient. It ends up in audit logs and stuff like that, and you can use it for role-mapping, but Elasticsearch doesn't use it for much else so as long as it's good enough for you, it's fine to use.

1 Like

elasticsearch-x-pack | [2018-02-14T05:51:01,047][WARN ][o.e.x.s.a.AuthenticationService] [UOQ1Up_] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[Conditions [urn:auth0:elk-base:SAML-Auth0-ID...] do not match required audience []])

Getting this error now. What could be the reason?

When I changed the SP entitiyId, the login went through. Thanks for all your help :smiley:

No problem.
I'm glad you got it working - while we've tried to make the SAML setup as easy as possible, it's a protocol with a lot of inbuilt complexity that's hard to hide.

If there were areas of the documentation that you found confusing or hard to follow, please let us know.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.