Kibana SAML authentication issue

security

(Athul Jayson) #1

Hi,

I had been trying to get Kibana to work with SAML authentication, but to no avail.

Kibana Config

server.name: kibana
server.host: "0"

elasticsearch.url: https://192.168.99.100:9200
elasticsearch.username: elastic
elasticsearch.password: elastic

xpack.monitoring.ui.container.elasticsearch.enabled: true
xpack.monitoring.enabled: false
xpack.monitoring.elasticsearch.username: elastic
xpack.monitoring.elasticsearch.password: elastic
xpack.security.authProviders: [saml]
server.xsrf.whitelist: [/api/security/v1/saml]

server.ssl.enabled: true
server.ssl.key: /usr/share/keys/host.key
server.ssl.certificate: /usr/share/keys/host.cert

elasticsearch.ssl.verificationMode: certificate
elasticsearch.ssl.certificateAuthorities: [ "/usr/share/keys/certificate.pem" ]
xpack.security.encryptionKey: "something_at_least_32_characters_allrite_I_Will_Try"


Elastic Config

cluster.name: "docker-cluster"
network.host: 0.0.0.0

discovery.zen.minimum_master_nodes: 1
xpack.license.self_generated.type: trial

xpack.security.enabled: true

xpack.ssl.keystore.path: certs/elastic-certificates.p12
xpack.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.http.ssl.enabled: true

xpack.security.authc.token.enabled: true
xpack.security.authc.realms.saml1:
type: saml
order: 2
idp.metadata.path: "x-pack/elk-base-SAML-Auth0-IDP-metadata.xml"
idp.entity_id: "urn:auth0:elk-base:SAML-Auth0-IDP"
sp.entity_id: "https://192.168.99.100:5601"
sp.acs: "https://192.168.99.100:5601/api/security/v1/saml"
sp.logout: "https://192.168.99.100:5601/logout"
attributes.principal: "nameid:persistent"
attributes.groups: "roles"

xpack.security.authc.realms.native1:
type: native
order: 0

The error I am getting is :
kibana-x-pack | {"type":"log","@timestamp":"2018-02-12T07:02:36Z","tags":["info","authentication"],"pid":1,"message":"Authentication attempt failed: [security_exception] Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://0:5601/api/security/v1/saml}]"}

I followed the documentation but is stuck here.
Any help would be much appreciated.


Kibana - Okta integration not working
X-pack Azure AD SAML auth
(Tim Vernum) #2

Under your config, Kibana thinks that its ACS is
https://0:5601/api/security/v1/saml, but you've configured Elasticsearch with an ACS of https://192.168.99.100:5601/api/security/v1/saml

You've got 2 choices, you can change the server name in Kibana

server.host: "0"

Or set a public Kibana host (xpack.security.public.host) See https://www.elastic.co/guide/en/x-pack/6.2/saml-kibana.html


(Athul Jayson) #4

Thanks a lot. That worked!

But getting this error now :
kibana-x-pack | {"type":"log","@timestamp":"2018-02-12T08:40:23Z","tags":["info","authentication"],"pid":1,"message":"Authentication attempt failed: [exception] Cannot find [{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor]/[urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect] in descriptor [null]"}

Is something wrong with my idP metadata xml?

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="urn:auth0:elk-base:SAML-Auth0-IDP">
   <SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
      <KeyDescriptor use="encryption">
         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
               <ds:X509Certificate> </ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </KeyDescriptor>
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://elk-base.auth0.com/logout" />
      <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://elk-base.auth0.com/logout" />
      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
      <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
      <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
      <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://elk-base.auth0.com/login/callback?connection=SAML-Auth0-IDP" index="0" isDefault="true" />
   </SPSSODescriptor>
</EntityDescriptor>

(Tim Vernum) #5

Yes. It looks like it is a SP metadata file. It has the element SPSSODescriptor, but it needs to have IDPSSODescriptor. Are you sure that you downloaded the right file?


(Athul Jayson) #6

Thanks Tim, I had the wrong metadata file!

Now I can login successfully using saml but getting this error message :

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" }

Do I have to create users in Kibana manually for this to work?


(Tim Vernum) #7

You're going to need to look at the elasticsearch logs to see what's caused that.
That error message is indicating that the SAML message was rejected by ES for some reason, but the reason will be in the log file (hopefully!)

My guess is that it will be an attribute mapping issue, but the logs will tell.


(Athul Jayson) #8

I could see this in the ES logs,

[2018-02-13T10:24:18,622][INFO ][o.e.x.s.a.AuthenticationService] [UOQ1Up_] Authentication of [kibana] was terminated by realm [reserved] - failed to authenticate user [kibana


(Tim Vernum) #9

That's interesting, and very perculiar.
That's suggesting something is trying to authenticate as Kibana with the wrong password. I wouldn't expect that to be related to this problem but, it's surprising to see it there.

Any log messages for SamlRealm or SamlAuthenticator ?


(Athul Jayson) #10

Couldnt find anything related to SAML in the logs, but ran into these lines :

elasticsearch-x-pack | [2018-02-13T10:24:19,660][INFO ][o.e.l.LicenseService     ] [UOQ1Up_] license [f763fe56-66a6-4537-9f56-3eb3e898d12c] mode [trial] - valid
elasticsearch-x-pack | [2018-02-13T10:24:19,676][INFO ][o.e.g.GatewayService     ] [UOQ1Up_] recovered [11] indices into cluster_state
elasticsearch-x-pack | [2018-02-13T10:24:21,097][ERROR][o.e.x.s.a.e.ReservedRealm] [UOQ1Up_] failed to retrieve password hash for reserved user [kibana]
elasticsearch-x-pack | org.elasticsearch.action.NoShardAvailableActionException: No shard available for [get [.security][doc][reserved-user-kibana]: routing [null]]

(Tim Vernum) #11

Hmm, I don't quite understand what's going on here.
The Kibana user is the one that exists for use by Kibana when it connects to Elasticsearch, but you've configured it to use elastic instead (which isn't a great idea, but also isn't the cause of this problem).

I'm going to check internally and see if there's an explanation.


#12

Hi @Athul_Jayson,

Hmm, Kibana shouldn't make any request on behalf of kibana user unless you specifically configured elasticsearch.username to use kibana. Could you please also share Kibana's security log (with logging.verbose: true) so that we can see where exactly request fails to know what piece of code tries to use that kibana user.

Thanks


(Athul Jayson) #13

@azasypkin This was due to some environment variable set in docker. Sorry for the false flag guys. Also, this error occurred as Kibana started before ES. Will have to do something about it.

Now, regarding attribute mapping, I could get fields like this from my IDP

Attributes:
http://schemas.auth0.com/created_at :Tue Feb 13 2018 09:43:41 GMT+0000 (UTC)
http://schemas.auth0.com/identities :[object Object]
http://schemas.auth0.com/nickname :athuljays

Will using an attribute such as nickname(http://schemas.auth0.com/nickname) as principal be sufficient ?


(Tim Vernum) #14

Yes, as long as it's something that is good enough for you to uniquely identify the user, it's sufficient. It ends up in audit logs and stuff like that, and you can use it for role-mapping, but Elasticsearch doesn't use it for much else so as long as it's good enough for you, it's fine to use.


(Athul Jayson) #15

elasticsearch-x-pack | [2018-02-14T05:51:01,047][WARN ][o.e.x.s.a.AuthenticationService] [UOQ1Up_] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[Conditions [urn:auth0:elk-base:SAML-Auth0-ID...] do not match required audience [https://192.168.99.100:5601]])

Getting this error now. What could be the reason?


(Athul Jayson) #16

When I changed the SP entitiyId, the login went through. Thanks for all your help :smiley:


(Tim Vernum) #17

No problem.
I'm glad you got it working - while we've tried to make the SAML setup as easy as possible, it's a protocol with a lot of inbuilt complexity that's hard to hide.

If there were areas of the documentation that you found confusing or hard to follow, please let us know.


(system) #18

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.