Likely root cause: ElasticsearchSecurityException[Cannot find metadata for entity http://xxx.xxx.xx]

slashlinux · November 8, 2021, 2:32pm

Hello,

I'm trying to integrate ELK with Keycloak and I've encountered some problems, I'm not expert on elk side so I did some configuration on Kibana/Elasticsearch YML:

Elasticsearch.yml

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.authc.token.enabled: true
xpack.security.authc.realms:
  saml.saml1:
    order: 2
    idp.metadata.path: saml-elasticsearch-metadata.xml
    idp.entity_id: "http://192.168.XXX.XX1:8080/auth/realms/grafana/protocol/saml"
    sp.entity_id:  "http://192.168.XXX.XX2:5601/"
    sp.acs: "http://192.168.XXX.XX:56012/api/security/v1/saml"
    sp.logout: "http://192.168.XXX.XX2:5601/logout"
    attributes.principal: "nameid:persistent"

kibana.yml

xpack.security.authc.providers: [saml]
xpack.security.authc.saml.realm: saml1
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.enabled: true

Log error Elasticsearch:

Nov 08 09:30:25 localhost.localdomain systemd[1]: Starting Elasticsearch...
Nov 08 09:30:29 localhost.localdomain systemd-entrypoint[9048]: WARNING: A terminally deprecated method in java.lang.System has been called
Nov 08 09:30:29 localhost.localdomain systemd-entrypoint[9048]: WARNING: System::setSecurityManager has been called by org.elasticsearch.bootstrap.Elasticsearch (file:/usr/share/elasticsearch/lib/elasticsearch-
Nov 08 09:30:29 localhost.localdomain systemd-entrypoint[9048]: WARNING: Please consider reporting this to the maintainers of org.elasticsearch.bootstrap.Elasticsearch
Nov 08 09:30:29 localhost.localdomain systemd-entrypoint[9048]: WARNING: System::setSecurityManager will be removed in a future release
Nov 08 09:30:31 localhost.localdomain systemd-entrypoint[9048]: WARNING: A terminally deprecated method in java.lang.System has been called
Nov 08 09:30:31 localhost.localdomain systemd-entrypoint[9048]: WARNING: System::setSecurityManager has been called by org.elasticsearch.bootstrap.Security (file:/usr/share/elasticsearch/lib/elasticsearch-7.15.
Nov 08 09:30:31 localhost.localdomain systemd-entrypoint[9048]: WARNING: Please consider reporting this to the maintainers of org.elasticsearch.bootstrap.Security
Nov 08 09:30:31 localhost.localdomain systemd-entrypoint[9048]: WARNING: System::setSecurityManager will be removed in a future release
Nov 08 09:30:45 localhost.localdomain systemd-entrypoint[9048]: uncaught exception in thread [main]
Nov 08 09:30:45 localhost.localdomain systemd-entrypoint[9048]: java.lang.IllegalStateException: security initialization failed
Nov 08 09:30:45 localhost.localdomain systemd-entrypoint[9048]: Likely root cause: ElasticsearchSecurityException[Cannot find metadata for entity [http://192.168.xxx.xx1:8080/auth/realms/grafana/protocol/saml] 
Nov 08 09:30:45 localhost.localdomain systemd-entrypoint[9048]: at org.elasticsearch.xpack.security.authc.saml.SamlUtils.samlException(SamlUtils.java:106)
Nov 08 09:30:45 localhost.localdomain systemd-entrypoint[9048]: at org.elasticsearch.xpack.security.authc.saml.SamlRealm.resolveEntityDescriptor(SamlRealm.java:630)

I have generated metadata for realm = saml1 with below command:

[root@localhost elasticsearch]# bin/elasticsearch-saml-metadata --realm saml1
What is the friendly name for "principal" attribute "nameid:persistent" [default: principa

Thank you for your help

Yang_Wang · November 8, 2021, 11:57pm

The error means the entityID http://192.168.XXX.XX1:8080/auth/realms/grafana/protocol/saml is not found in the file saml-elasticsearch-metadata.xml.

Quote from the documentation:

idp.metadata.path is the path to the metadata file that you saved for your Identity Provider. The path that you enter here is relative to your config/ directory. Elasticsearch will automatically monitor this file for changes and will reload the configuration whenever it is updated.

The file should be provided by your idP, not generated by elasticsearch. The elasticsearch-saml-metadata is for generating the SP metadata and upload to your idP if necessary and it is not relevant to your current error.

slashlinux · November 9, 2021, 7:13am

Thank you, I've copied the idp-metadata from the Keycloak Realm and now it works.

system · December 7, 2021, 7:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cannot find metadata for entity [...] in SAML xml despite it being there Elasticsearch elastic-stack-security	6	2602	July 2, 2019
SAML error with ELK Stack Elasticsearch elastic-stack-security	51	3767	May 1, 2019
ELK Stack integration with Keycloak Elasticsearch elastic-stack-security	15	22299	January 9, 2020
Kibana SAML implementation issues Kibana	10	2588	October 10, 2018
X-pack - SAML issue - ELK 6.4 Elasticsearch elastic-stack-security	7	2353	November 21, 2018

Likely root cause: ElasticsearchSecurityException[Cannot find metadata for entity http://xxx.xxx.xx]

Related topics