Hello,
I am trying to get our EC Kibana to authenticate with Okta, following the steps in the guide, but not having any luck
Here is the elastic.yml override:
xpack:
security:
authc:
realms:
cloud-saml:
type: saml
order: 2
attributes.principal: "nameid:persistent"
idp.metadata.path: "https://p.oktapreview.com/app/xxxxxxxxx/sso/saml/metadata"
idp.entity_id: "http://www.okta.com/xxxxxxxxx"
sp.entity_id: "https://ac41b26xxx.us-central1.gcp.cloud.es.io:9243/"
sp.acs: "https://ac41b2xxx.us-central1.gcp.cloud.es.io:9243/api/security/v1/saml"
sp.logout: "https://ac41b2xxx.us-central1.gcp.cloud.es.io:9243/logout"
and the kibana.yml override:
xpack.security.authProviders: [saml]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.public:
protocol: https
hostname: ac41b2.us-central1.gcp.cloud.es.io
port: 9243
Contents of https://p.oktapreview.com/app/xxxxxxxxx/sso/saml/metadata here:
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/xxxxxxxxx">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIDnjCCAoaxxxtaQqO6
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://p.oktapreview.com/app/pppreview_statssio_1/xxxxxxxxx/sso/saml" />
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://p.oktapreview.com/app/pppreview_statssio_1/xxxxxxxxx/sso/saml" />
</md:IDPSSODescriptor>
</md:EntityDescriptor>
After removing Basic authProvider completely, our error looks like:
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } } :: {\"path\":\"/_xpack/security/saml/authenticate\",\"query\":{},\"body\":\"{\\\"ids\\\":[],\\\"content\\\":\\\"PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48c2FtbDJwOlJlc3BvbnNlIHhtbG5zOnNhbWwycD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9hYzQxYjI2MTc0ZTk0NWE1ODBlNzNkNWZmN2MyZmVkM <snip>
"}\",\"statusCode\":401,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":[\\\"Bearer realm=\\\\\\\"security\\\\\\\"\\\",\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"]}}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":[\\\"Bearer realm=\\\\\\\"security\\\\\\\"\\\",\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"]}},\\\"status\\\":401}\",\"wwwAuthenticateDirective\":\"Bearer realm=\\\"security\\\", Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}"}
Unfortunately I am not the Okta administrator, but they have been in touch with Okta Support and tell me that the IDP is configured correctly. Elastic Support is telling me "this is not a cloud issue"
Is there a log I can check in the Cloud product that might give me some more insight into what is going wrong?
Thanks for any insight!!
Trevor