Kibana, SAML, Okta - help?

honzo · April 23, 2019, 10:42pm

Hello,
I am trying to get our EC Kibana to authenticate with Okta, following the steps in the guide, but not having any luck

Here is the elastic.yml override:

xpack:
  security:
    authc:
      realms:
        cloud-saml: 
          type: saml
          order: 2
          attributes.principal: "nameid:persistent"
          idp.metadata.path: "https://p.oktapreview.com/app/xxxxxxxxx/sso/saml/metadata" 
          idp.entity_id: "http://www.okta.com/xxxxxxxxx" 
          sp.entity_id: "https://ac41b26xxx.us-central1.gcp.cloud.es.io:9243/" 
          sp.acs: "https://ac41b2xxx.us-central1.gcp.cloud.es.io:9243/api/security/v1/saml"
          sp.logout: "https://ac41b2xxx.us-central1.gcp.cloud.es.io:9243/logout"

and the kibana.yml override:

xpack.security.authProviders: [saml]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.public:
  protocol: https
  hostname: ac41b2.us-central1.gcp.cloud.es.io 
  port: 9243

Contents of https://p.oktapreview.com/app/xxxxxxxxx/sso/saml/metadata here:

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/xxxxxxxxx">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIDnjCCAoaxxxtaQqO6
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://p.oktapreview.com/app/pppreview_statssio_1/xxxxxxxxx/sso/saml" />
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://p.oktapreview.com/app/pppreview_statssio_1/xxxxxxxxx/sso/saml" />
</md:IDPSSODescriptor>
</md:EntityDescriptor>

After removing Basic authProvider completely, our error looks like:

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } } :: {\"path\":\"/_xpack/security/saml/authenticate\",\"query\":{},\"body\":\"{\\\"ids\\\":[],\\\"content\\\":\\\"PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9hYzQxYjI2MTc0ZTk0NWE1ODBlNzNkNWZmN2MyZmVkM <snip>
 "}\",\"statusCode\":401,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":[\\\"Bearer realm=\\\\\\\"security\\\\\\\"\\\",\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"]}}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":[\\\"Bearer realm=\\\\\\\"security\\\\\\\"\\\",\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"]}},\\\"status\\\":401}\",\"wwwAuthenticateDirective\":\"Bearer realm=\\\"security\\\", Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}"}

Unfortunately I am not the Okta administrator, but they have been in touch with Okta Support and tell me that the IDP is configured correctly. Elastic Support is telling me "this is not a cloud issue"

Is there a log I can check in the Cloud product that might give me some more insight into what is going wrong?

Thanks for any insight!!

Trevor

Alex_Piggott · April 24, 2019, 1:43pm

Hi @honzo

I think there's still a known issue where we filter security log entries out before providing them to the user console (which used to be fine but now people are configuring their own realms doesn't work so well!)

I see in the unfiltered logs that you have Authentication to realm cloud-saml failed - Provided SAML response is not valid for realm saml/cloud-saml (Caused by ElasticsearchSecurityException[Conditions [ac41b26xxx...] do not match required audience [https://ac41b26xxx.us-central1.gcp.cloud.es.io:9243/]])

which I think I've seen before and means that your sp.entity_id is ~~wrong~~ inconsistent with what's set in the IDP; if you give me the case id (you mentioned engaging with support?) then I'll go check out what happened over there

Alex

Alex_Piggott · April 24, 2019, 1:58pm

That error appears here: https://www.elastic.co/guide/en/elastic-stack-overview/current/trb-security-saml.html and suggests that your Okta side config needs to contain the sp.entity_id somewhere but you have it set to just the cluster id or something like that?

honzo · April 24, 2019, 3:20pm

Thanks Alex! The case # is 00320253. I'll double check the sp.entity_id asap.

Cheers,
Trevor

honzo · April 25, 2019, 9:28pm

hi @Alex_Piggott, the error you showed us from the log and the FAQ led us to the issue.. indeed sp.entity_id was inconsistent in the Okta config.

THANK YOU!! .. we've been wondering what this was for weeks!

So we are able to login. The email address is displayed as (No email) though, and I can't seem to set an attribute for it.. When we try, the error is “xpack.security.authc.realms.cloud-saml.attributes.mail’: is not allowed” .. Is that one black-listed for Cloud clusters?

The username is set to the email address if we use attributes.principal: "nameid:persistent", and I may just leave as is. If I can only set one attribute then email address isn't bad, but it would be nice to put some polish on this now.

Best regards,
Trevor

Alex_Piggott · April 25, 2019, 9:44pm

Glad you got it working!

Despite my good luck in helping you with the initial issue, I'm not a SAML expert by any means .. my suggestion would be to ask in the Kibana forum how to set separate username and email addresses for Kibana<->Okta ... if the answer (which you may already have based on your question?) ends up being to set an attribute that isn't whitelisted (which will probably be a mistake in our whitelist tbh), then you can always open a support ticket asking for it to be set

Alex

TimV · April 26, 2019, 4:20am

The mail attribute is exactly what you want for this.
It has been blacklisted in cloud (or more accurately, not added to the whitelist), but I can see work in progress to resolve that.

Until then, you'll need to raise a case to add it to your cluster.

honzo · April 26, 2019, 4:34am

Fabulous, thanks for the info @TimV ! We'll do just that.

Cheers guys, I think we've finally got this under control. We really appreciate you helping us out here.

Trevor

system · May 10, 2019, 4:35am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.