Kibana SAML setup having auth issue

Hello, I have NGINX proxy server which forwards requests to kibana. I wanted to have SSO authentication using SAML for Kibana. My setup is as below:

(1)NGIX config:
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/FQDN.pem;
ssl_certificate_key /etc/nginx/ssl/FQDN.key;
location /kibana {
proxy_set_header X-Forwarded-Host FQDN;
#proxy_set_header sec-fetch-mode cors;
proxy_set_header kbn-xsrf 7.1.1;

(2) ES config.yml

elasticsearch.yml: | true true certificate /usr/share/elasticsearch/config/certs/elastic-certificates.p12 /usr/share/elasticsearch/config/certs/elastic-certificates.p12 true /usr/share/elasticsearch/config/certs/elastic-certificates.p12 /usr/share/elasticsearch/config/certs/elastic-certificates.p12 true
    order: 2
    idp.metadata.path: saml/idp-metadata.xml
    idp.entity_id: "<randomstring_id>"
    sp.entity_id:  "https://FQDN/kibana"
    sp.acs: "https://FQDN/kibana/api/security/v1/saml"
    sp.logout: "https://FQDN/kibana/logout"
    attributes.principal: "nameid"
    attributes.groups: "roles"
    attributes.mail: "mail" [saml] kibana_saml

(3) Kibana yml

kibana.yml: |
# Default Kibana configuration for docker target kibana "0"
server.basePath: "/kibana"
server.rewriteBasePath: true
elasticsearch.hosts: "https://elasticsearch-master:9200"
enabled: true
key: /usr/share/kibana/config/certs/kibana/kibana.key
certificate: /usr/share/kibana/config/certs/kibana/kibana.crt something_at_least_32_characters
protocol: https
hostname: FQDN
port: 443
server.xsrf.whitelist: [/api/security/v1/saml]
certificateAuthorities: /usr/share/kibana/config/certs/elastic-certificate.pem
verificationMode: certificate

(4) idp-metadata.xml
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="<randomstring_id">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="">

<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https:////sso/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="//sso/saml"/>

(5) logs in kibana pod
{"type":"response","@timestamp":"2019-10-29T01:35:07Z","tags":,"pid":1,"method":"post","statusCode":401,"req":{"url":"/api/security/v1/saml","method":"post","headers":{"x-forwarded-host”:”FQDN”,”kbn-xsrf":"7.1.1","host":"","connection":"close","content-length":"41041","cache-control":"max-age=0","origin":"","upgrade-insecure-requests":"1","dnt":"1","content-type":"application/x-www-form-urlencoded","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36","sec-fetch-mode":"navigate","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3","sec-fetch-site":"cross-site","referer":"<randomstring_id>/sso/saml","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"","userAgent":"","referer":"<randomstring_id>/sso/saml"},"res":{"statusCode":401,"responseTime":25,"contentLength":9},"message":"POST /api/security/v1/saml 401 25ms - 9.0B"}

(6) message on the browser is :

I am trying directly the URL appearing in idp-metadata.xml file as it appears in sso binding line in the end. It does go to okta and it does send backs the token but somehow kibana is declining the request. Any help would be greatly appreciated.

Please don't post unformatted code, logs, or configuration as it's very hard to read.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

This is problematic, as described in our troubleshooting doc on Symptom 1.

You'd need something like hostname: FQDN/kibana for your setup to work, and I'm not even sure this is possible.

Otherwise, you'd need to upgrade to 7.3 or later where we introduced in kibana.yml and deprecated the* configuration. You'd then replace
  protocol: https
  hostname: FQDN
  port: 443

with kibana_saml

Hi @ikakavas
This is Arun here , i work with @pshahkibana. We noticed the saml is not enabled in th e basic license we upgraded the license to premium, after that we see this issue

Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://xxxxxx:443/kibana/api/security/v1/saml}]","name":"Error","stack":"[security_exception] Cannot find any matching realm for 

The url its trying to match is the proxy url it looks correct, except for when use the proxy url in browser we do not specify the port 443, as its https already
In elastic search .yaml
sp.acs: "https://xxxxxl/kibana/api/security/v1/saml"

reading the troubleshooting guide, i tried changing it to

sp.acs: "https://xxxxx:443/kibana/api/security/v1/saml"

How does the 7.3 version work kibana_saml

And ? What happened?

Apologies but I dont understand your question

after adding the 443 to elasticsearch yaml, i could not even login into elasticsearch directly let alone kibana , kept getting 502 bad gateway

on the 7.3 question was
how does it solve the issue when kibana is behind proxy. i can try building a new 7.4 cluster on our gke cluster and try

Apologies but I cant really understand how you couldn't login to elasticsearch directly and what throws 502. You would need to share a little more detail, your configuration and error logs

It solves it because kibana doeant need to build and pass the acs url to elasticsearch, it passes the realm name. Feel free to try this out

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.