Likely root cause: ElasticsearchSecurityException[Cannot find metadata for entity http://xxx.xxx.xx]

Hello,

I'm trying to integrate ELK with Keycloak and I've encountered some problems, I'm not expert on elk side so I did some configuration on Kibana/Elasticsearch YML:

Elasticsearch.yml

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.authc.token.enabled: true
xpack.security.authc.realms:
  saml.saml1:
    order: 2
    idp.metadata.path: saml-elasticsearch-metadata.xml
    idp.entity_id: "http://192.168.XXX.XX1:8080/auth/realms/grafana/protocol/saml"
    sp.entity_id:  "http://192.168.XXX.XX2:5601/"
    sp.acs: "http://192.168.XXX.XX:56012/api/security/v1/saml"
    sp.logout: "http://192.168.XXX.XX2:5601/logout"
    attributes.principal: "nameid:persistent"

kibana.yml

xpack.security.authc.providers: [saml]
xpack.security.authc.saml.realm: saml1
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.enabled: true

Log error Elasticsearch:

Nov 08 09:30:25 localhost.localdomain systemd[1]: Starting Elasticsearch...
Nov 08 09:30:29 localhost.localdomain systemd-entrypoint[9048]: WARNING: A terminally deprecated method in java.lang.System has been called
Nov 08 09:30:29 localhost.localdomain systemd-entrypoint[9048]: WARNING: System::setSecurityManager has been called by org.elasticsearch.bootstrap.Elasticsearch (file:/usr/share/elasticsearch/lib/elasticsearch-
Nov 08 09:30:29 localhost.localdomain systemd-entrypoint[9048]: WARNING: Please consider reporting this to the maintainers of org.elasticsearch.bootstrap.Elasticsearch
Nov 08 09:30:29 localhost.localdomain systemd-entrypoint[9048]: WARNING: System::setSecurityManager will be removed in a future release
Nov 08 09:30:31 localhost.localdomain systemd-entrypoint[9048]: WARNING: A terminally deprecated method in java.lang.System has been called
Nov 08 09:30:31 localhost.localdomain systemd-entrypoint[9048]: WARNING: System::setSecurityManager has been called by org.elasticsearch.bootstrap.Security (file:/usr/share/elasticsearch/lib/elasticsearch-7.15.
Nov 08 09:30:31 localhost.localdomain systemd-entrypoint[9048]: WARNING: Please consider reporting this to the maintainers of org.elasticsearch.bootstrap.Security
Nov 08 09:30:31 localhost.localdomain systemd-entrypoint[9048]: WARNING: System::setSecurityManager will be removed in a future release
Nov 08 09:30:45 localhost.localdomain systemd-entrypoint[9048]: uncaught exception in thread [main]
Nov 08 09:30:45 localhost.localdomain systemd-entrypoint[9048]: java.lang.IllegalStateException: security initialization failed
Nov 08 09:30:45 localhost.localdomain systemd-entrypoint[9048]: Likely root cause: ElasticsearchSecurityException[Cannot find metadata for entity [http://192.168.xxx.xx1:8080/auth/realms/grafana/protocol/saml] 
Nov 08 09:30:45 localhost.localdomain systemd-entrypoint[9048]: at org.elasticsearch.xpack.security.authc.saml.SamlUtils.samlException(SamlUtils.java:106)
Nov 08 09:30:45 localhost.localdomain systemd-entrypoint[9048]: at org.elasticsearch.xpack.security.authc.saml.SamlRealm.resolveEntityDescriptor(SamlRealm.java:630)

I have generated metadata for realm = saml1 with below command:

[root@localhost elasticsearch]# bin/elasticsearch-saml-metadata --realm saml1
What is the friendly name for "principal" attribute "nameid:persistent" [default: principa

Thank you for your help

The error means the entityID http://192.168.XXX.XX1:8080/auth/realms/grafana/protocol/saml is not found in the file saml-elasticsearch-metadata.xml.

Quote from the documentation:

idp.metadata.path is the path to the metadata file that you saved for your Identity Provider. The path that you enter here is relative to your config/ directory. Elasticsearch will automatically monitor this file for changes and will reload the configuration whenever it is updated.

The file should be provided by your idP, not generated by Elasticsearch. The elasticsearch-saml-metadata is for generating the SP metadata and upload to your idP if necessary and it is not relevant to your current error.

Thank you, I've copied the idp-metadata from the Keycloak Realm and now it works.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.