Kibana SAML setup having auth issue

pshahkibana · October 29, 2019, 8:35pm

Hello, I have NGINX proxy server which forwards requests to kibana. I wanted to have SSO authentication using SAML for Kibana. My setup is as below:

(1)NGIX config:
server {
listen 443;
server_name gpcs-sre-nonprod-elk.panclouddev.com, 10.181.131.242;
ssl on;
ssl_certificate /etc/nginx/ssl/FQDN.pem;
ssl_certificate_key /etc/nginx/ssl/FQDN.key;
location /kibana {
proxy_pass https://172.20.241.201;
proxy_set_header X-Forwarded-Host FQDN;
#proxy_set_header sec-fetch-mode cors;
proxy_set_header kbn-xsrf 7.1.1;
}

(2) ES config.yml

elasticsearch.yml: |
  xpack.security.enabled: true
  xpack.security.transport.ssl.enabled: true
  xpack.security.transport.ssl.verification_mode: certificate
  xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
  xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
  xpack.security.http.ssl.enabled: true
  xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
  xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
  xpack.security.authc.token.enabled: true
  xpack.security.authc.realms.saml.kibana_saml:
    order: 2
    idp.metadata.path: saml/idp-metadata.xml
    idp.entity_id: "http://www.okta.com/<randomstring_id>"
    sp.entity_id:  "https://FQDN/kibana"
    sp.acs: "https://FQDN/kibana/api/security/v1/saml"
    sp.logout: "https://FQDN/kibana/logout"
    attributes.principal: "nameid"
    attributes.groups: "roles"
    attributes.mail: "mail"
  xpack.security.authProviders: [saml]
  xpack.security.auth.saml.realm: kibana_saml

(3) Kibana yml

data:
kibana.yml: |
# Default Kibana configuration for docker target
server.name: kibana
server.host: "0"
server.basePath: "/kibana"
server.rewriteBasePath: true
elasticsearch.hosts: "https://elasticsearch-master:9200"
server.ssl:
enabled: true
key: /usr/share/kibana/config/certs/kibana/kibana.key
certificate: /usr/share/kibana/config/certs/kibana/kibana.crt
xpack.security.encryptionKey: something_at_least_32_characters
xpack.security.public:
protocol: https
hostname: FQDN
port: 443
server.xsrf.whitelist: [/api/security/v1/saml]
elasticsearch.ssl:
certificateAuthorities: /usr/share/kibana/config/certs/elastic-certificate.pem
verificationMode: certificate

(4) idp-metadata.xml
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/<randomstring_id">
<md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
ds:X509Data
ds:X509Certificate

</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
md:NameIDFormat
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
</md:NameIDFormat>
md:NameIDFormat
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https:////sso/saml"/>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="//sso/saml"/>
</md:IDPSSODescriptor>
</md:EntityDescriptor>

(5) logs in kibana pod
{"type":"response","@timestamp":"2019-10-29T01:35:07Z","tags":,"pid":1,"method":"post","statusCode":401,"req":{"url":"/api/security/v1/saml","method":"post","headers":{"x-forwarded-host”:”FQDN”,”kbn-xsrf":"7.1.1","host":"172.20.241.201","connection":"close","content-length":"41041","cache-control":"max-age=0","origin":"https://.okta.com","upgrade-insecure-requests":"1","dnt":"1","content-type":"application/x-www-form-urlencoded","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36","sec-fetch-mode":"navigate","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3","sec-fetch-site":"cross-site","referer":"https://.okta.com/app/prod_elasticsearchdev_1/<randomstring_id>/sso/saml","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"172.20.240.46","userAgent":"172.20.240.46","referer":"https://.okta.com/app/prod_elasticsearchdev_1/<randomstring_id>/sso/saml"},"res":{"statusCode":401,"responseTime":25,"contentLength":9},"message":"POST /api/security/v1/saml 401 25ms - 9.0B"}

(6) message on the browser is :
{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}

I am trying directly the URL appearing in idp-metadata.xml file as it appears in sso binding line in the end. It does go to okta and it does send backs the token but somehow kibana is declining the request. Any help would be greatly appreciated.

ikakavas · October 30, 2019, 5:04am

Please don't post unformatted code, logs, or configuration as it's very hard to read.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

ikakavas · October 30, 2019, 5:11am

This is problematic, as described in our troubleshooting doc on Symptom 1.

You'd need something like hostname: FQDN/kibana for your setup to work, and I'm not even sure this is possible.

Otherwise, you'd need to upgrade to 7.3 or later where we introduced xpack.security.authc.saml.reaml in kibana.yml and deprecated the xpack.security.public.* configuration. You'd then replace

xpack.security.public:
  protocol: https
  hostname: FQDN
  port: 443

with

xpack.security.authc.saml.reaml: kibana_saml

asrinivasan · October 30, 2019, 3:55pm

Hi @ikakavas
This is Arun here , i work with @pshahkibana. We noticed the saml is not enabled in th e basic license we upgraded the license to premium, after that we see this issue

Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://xxxxxx:443/kibana/api/security/v1/saml}]","name":"Error","stack":"[security_exception] Cannot find any matching realm for

The url its trying to match is the proxy url it looks correct, except for when use the proxy url in browser we do not specify the port 443, as its https already
In elastic search .yaml
sp.acs: "https://xxxxxl/kibana/api/security/v1/saml"

reading the troubleshooting guide, i tried changing it to

sp.acs: "https://xxxxx:443/kibana/api/security/v1/saml"

How does the 7.3 version work
xpack.security.authc.saml.reaml: kibana_saml

ikakavas · October 30, 2019, 4:14pm

And ? What happened?

Apologies but I dont understand your question

asrinivasan · October 30, 2019, 4:45pm

after adding the 443 to elasticsearch yaml, i could not even login into elasticsearch directly let alone kibana , kept getting 502 bad gateway

on the 7.3 question was
how does it solve the issue when kibana is behind proxy. i can try building a new 7.4 cluster on our gke cluster and try

ikakavas · October 30, 2019, 5:13pm

Apologies but I cant really understand how you couldn't login to elasticsearch directly and what throws 502. You would need to share a little more detail, your configuration and error logs

It solves it because kibana doeant need to build and pass the acs url to elasticsearch, it passes the realm name. Feel free to try this out

system · November 27, 2019, 5:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.