Kibana SAML integration with Azure

Hello @ikakavas
We are using elastic cloud hosting version 7.5.
We have below configuration for user overrides sections of elasticsearch and kibana.we have created roles in kibana and created a AD user group in Azure called. We have also added user to this group in azure end. Also used the PUT command to assign roles to this user group in kibana.
Configuration on elastic:

xpack:

security:

authc:

  realms:

    saml:

      saml2:

        order: 2

        attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"

        attributes.groups: "user.assignedroles"

        idp.metadata.path: "<idp metadata path>"

        idp.entity_id: "<idp entity url>"

        sp.entity_id: "<KIBANA_URL>"

        sp.acs: "<KIBANA_URL>/api/security/v1/saml"

        sp.logout: "<KIBANA_URL>/logout"

xpack.security.authc.providers: [saml]

server.xsrf.whitelist: [/api/security/v1/saml]

xpack.security.authc.saml.realm: saml2

Current Roles added:

"CLOUD_SAML2_ReadOnly" : {
"enabled" : true,
"roles" : [
"AWS-Elastic-P-Kibana-ReadOnly"
],
"rules" : {
"all" : [
{
"field" : {
"realm.name" : "saml2"
}
},
{
"field" : {
"groups" : "AWS-Elastic-P-Kibana-ReadOnly"
}
}
]
},
"metadata" : {
"version" : 1
}
},
"CLOUD_SAML2_Hades" : {
"enabled" : true,
"roles" : [
"Hades_User"
],
"rules" : {
"all" : [
{
"field" : {
"realm.name" : "saml2"
}
},
{
"field" : {
"groups" : "AWS-Elastic-P-Kibana-ReadOnly"
}
}
]
},
"metadata" : {
"version" : 1
}
},
"CLOUD_SAML2_kibana_user" : {
"enabled" : true,
"roles" : [
"kibana_user"
],
"rules" : {
"all" : [
{
"field" : {
"realm.name" : "saml2"
}
},
{
"field" : {
"groups" : "AWS-Elastic-P-Kibana-ReadOnly"
}
}
]
},
"metadata" : {
"version" : 1
}
}
}

AD Groups Created :

AWS-Elastic-P-Kibana-ReadOnly

**Changes in SAML **
Claims are : givenname, name, emailaddress,roles ,surname.
Roles are user.assignedroles

We do not have roles assigned in SAML side. This is what the SAML response depicts.
What roles need need to be configured on SAML end?
Do we need to configure tenant url on SAML side?if so what is the exact value to be configured

Please don't post unformatted code, logs, or configuration as it's very hard to read.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

I also urge you to read through https://www.elastic.co/guide/en/elasticsearch/reference/master/saml-guide-authentication.html , it has many details that probably explain and answer your questions.

called what ?

what are the changes in SAML ?

What is that and where can we see this SAML response ?

What is a tenant URL and why do you think you should be configuring it ?

Hi,

Configuration on elastic:

Elasticsearch user-override settings:
xpack: security: authc: realms: saml: saml2: order: 2 attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" attributes.groups: "user.assignedroles" idp.metadata.path: "<idp metadata path>" idp.entity_id: "<idp entity url>" sp.entity_id: "<KIBANA_URL>" sp.acs: "<KIBANA_URL>/api/security/v1/saml" sp.logout: "<KIBANA_URL>/logout"

Kibana user-override settings:

`xpack.security.authc.providers: [saml]

server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.authc.saml.realm: saml2`

Current Roles added:
"CLOUD_SAML2_ReadOnly" : { "enabled" : true, "roles" : [ "AWS-Elastic-P-Kibana-ReadOnly" ], "rules" : { "all" : [ { "field" : { "realm.name" : "saml2" } }, { "field" : { "groups" : "AWS-Elastic-P-Kibana-ReadOnly" } } ] }, "metadata" : { "version" : 1 } }, "CLOUD_SAML2_Hades" : { "enabled" : true, "roles" : [ "Hades_User" ], "rules" : { "all" : [ { "field" : { "realm.name" : "saml2" } }, { "field" : { "groups" : "AWS-Elastic-P-Kibana-ReadOnly" } } ] }, "metadata" : { "version" : 1 } }, "CLOUD_SAML2_kibana_user" : { "enabled" : true, "roles" : [ "kibana_user" ], "rules" : { "all" : [ { "field" : { "realm.name" : "saml2" } }, { "field" : { "groups" : "AWS-Elastic-P-Kibana-ReadOnly" } } ] }, "metadata" : { "version" : 1 } } }

AD Groups Created :
AWS-Elastic-P-Kibana-ReadOnly

Changes in SAML side

SAML2

SAML Request Response
`REQUEST :

[instance-0000000120] Constructed SAML Authentication Request: <?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL=<sp.acs> Destination="https://login.microsoftonline.com/63a8df83-063c-4312-a508-dc01b7508661/saml2" ID="_40a9c3b56dbdaa8a53ce715c31296fe80f219b78" IssueInstant="2020-02-13T13:37:25.981Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"> <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">sp.entity_id:</saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"/> </saml2p:AuthnRequest>

RESPONSE:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="sp.entity_id:api/security/v1/saml" ID="_cada0511-51da-436d-aa20-8425ce4db88b" InResponseTo="_40a9c3b56dbdaa8a53ce715c31296fe80f219b78" IssueInstant="2020-02-13T13:39:07.677Z" Version="2.0"> https://sts.windows.net/63a8df83-063c-4312-a508-dc01b7508661/ samlp:Status <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> https://sts.windows.net/63a8df83-063c-4312-a508-dc01b7508661/ sL7otFhxmxvzzlVeIt94WHd0U3Ax5z74odAftKKGPf8= nB6OysgVw0MF2OTD8Xd328GGVW1yUll8P085EuUbR4Rw8FGa/jdTMgphE6oJpyhxmRUfur4pcmGz6fykGo0ZP4yXx2SRGh/WFr9RMEcQ3CBrWEV2ScierKqIebXsXUUIXBCdmaBH7X5Q5vRmutCYvofOw6wHsOx+eopDupzTDGEJHrmU/1fh7Ar85O9XjgJFVWUw3rL8z+nr/Mfv7Q5gkkO4+Xb16BOOAxyaPi4yIiz3FOiaJmCKzX4apWspBMZth/0NsKdHBiKXRH92wfXbjCbr+cN61/wQB6zKEeURH4iSqO6SFtDpFOYXWTmv2LZWcrTx5SirTOF6IuqmJqeGxA== MIIC8DCCAdigAwIBAgIQQndfQR5GXLpH91cOq7k3KDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMDAxMDIxMTM1NDJaFw0yMzAxMDIxMTM1NDJaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1F+2RsWuFoEF80uJEKlfrsA8Tg8vKawrOMaluRau4x8n6T+YcaHm9s8qwLwKIBrArA1jeCeUdezCvSnQIG7PRLgpEQUpHukZJ6mN8cpYrf7L7/MA3rvN4IzJGxHY8aDOoth16h6VImzfBRpmMbL5RSlHI+yHg+OtX2CcI2en79PWCpiwNyqZBAV+AbiHsxORxkxFqkJVLYxJX4qxnFoCljCq1FwHyBYwV2VBBkzA+B6XrcARSWgdjUuEFk8wYdX4ZpIaoxWr/c/8u38FBi+/iexi6u6c2fVHxGB4jTzWPqJgXy+bHjM1HEjG7aPujFZhYAirMdJQM9v0UsQ45g5wRwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAYL9HipLIf+0AQIfz1wLb1+YJaChn/Elu4I/SFa9Uh3EEv+KTlPBGiFJXJlomowcLegSCS5OeF+Uhl7k2BWRG2D2bvNA3MBcyzvtezH6dhc/+IX1uaZHkwTd0yjT8GgL2HOhEdx7lGf5kiyl43PJCedZ+1zjZ295plNYHoM56Cm6+E/9Ma6mY6xiZz+UOpFbzY+4UWHYNZ3cQ94BPamtH0NhQ6W7FDcravo1iNpQPTJog/bLGmzcrA2qnzz2FRUDkIbvp7469CHfZRVTKJn0JQe+kEuPldNJLO7DXyruEHWXFAJiqQP/6/zZtEgJBDlHCtYNMO/6AdCkNFdjae4pK1 dSNvPvEsbvsd//RY392rdlcjRBC0e2Nfp/zjWtMnluE= sp.entity_id: 63a8df83-063c-4312-a508-dc01b7508661 c8b15daf-7cad-4edb-97e1-9b3242b8ef76 Name https://sts.windows.net/63a8df83-063c-4312-a508-dc01b7508661/ http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password http://schemas.microsoft.com/claims/multipleauthn Name Surname email address email address urn:oasis:names:tc:SAML:2.0:ac:classes:Password </samlp:Response>`

Roles are not returned in SAML response. SO my question is what is exact configuration needed at SAML end for --> attributes.groups: "user.assignedroles". How and exactly what do we configure.

Please don't post images of text as they are hard to read, may not display correctly for everyone, and are not searchable.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this. If you fix your posts there's a higher chance someone will be able to help you out!

i cannot format since the response is getting truncated. Neverthless , the question is plain and simple:
Roles are not returned in SAML response. SO my question is what is exact configuration needed at SAML end for --> attributes.groups: "user.assignedroles". How and exactly what do we configure.

Black screen shot is of SAML ui to which i do not have acess hence pasting its image

Some context so that you don't feel I'm being pedantic for no reason. I totally get that you:

  • Want to resolve your issues as quickly as possible
  • You have in your mind all the history of what you want to do, what you have tried and what has worked and what hasn't. What changes you made along the way and what errors you encountered. All the frustrations and possible dead ends.
  • You want someone to tell you a simple solution "Do A" that will fix your problems.

Now from the forums community perspective:

  • We lack all the insights you have, thus we ask you to be as precise as possible and to give us as much information as possible so that we can understand what you try to do and what your problem is.
  • We are also in a hurry and doing other things, trying to also answer other people's questions etc. ,so the easiest you make it for someone to go through the information you provide ( formatting correctly your messages, not sharing screenshots but actual test ) the more possibilities you have to get some assistance. I can't speak for everyone of course, but if I have 10 mins to answer a question, I'll probably pick on that is clearly asked and where I can consume the necessary information in a proper format.
  • Sometimes we can't just say "Do A" because we need to explain something first, or because we feel that we should also point you to the documentation as this might be useful to you down the line too.
  • Sometimes we can't just say "Do A" because a question makes assumptions about "X, Y and Z" which are not valid and we need to discuss these first or make more investigative questions.

With that said, I kindly ask you again to fix the format in your posts, as it is really hard to go through them as it is now. This will not only help you now but also people that stumble upon this question later on to understand what was asked and how it was fixed. ( As you, for example, did in the previous question where you originally asked this )

Current Roles added:

This doesnt add roles. It adds Role Mappings. Role Mappings are rules that say "If a user with such characteristics logs in, assign them these roles"

I pointed you to https://www.elastic.co/guide/en/elasticsearch/reference/master/saml-guide-authentication.html#saml-attribute-mapping already, please read through it.

When you add

        attributes.groups: "user.assignedroles"

in your settings, you're basically configuring Elasticsearch to look for a SAML Attribute in the SAML response for a user with the name user.assignedroles and use its value to populate the elasticsearch user property groups. Then you can use that value in role mappings.
On the other hand you have configured Azure AD to release roles in an attibute with name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/roles so what you need to be configuring in elasticsearch is

        attributes.groups: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/roles"

Finally , from what I can see in the saml response you pasted ( which is really hard to see as you haven't formatted it correctly - see my previous points ) Azure AD doesn't send this attribute at all so it either means that the Azure AD configuration has since changed or is invalid, or that the user that logs in has no assignedroles in Azure AD.

In summary:

  1. Please, please, please fix the formatting of your posts.
  2. Change your elasticsearch saml realm configuration to
    attributes.groups: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/roles"
    
  3. Ensure that your IDP ( Azure AD ) is correctly configured and that the user has the role in Azure AD that you expect them to have. We won't probably be able to help you further with any of your Azure AD configuration so you might want to talk to their support to figure things out.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.