Multi Tenancy Single Sign on with Microsoft Entra

adamwood · September 10, 2024, 4:48pm

HI Folks, we are using Elastic Cloud, and would like to set up Single Sign on using Microsoft Entra, with the addition of using multiple (any) Microsoft Azure Tenants. I would like to achieve this without needing to register Entra Applications on each tenant.

I can use Set up SAML with Microsoft Entra ID | Elastic to get this working for our tenant, but have not been able to convert it to work multi tenant.

Our Entra App Registration is configured for multi tenant, yet I haven't quite figured out the elasticsearch.yml config to get this working.

Here is our elasticsearch.yml

xpack:
  security:
    authc:
      realms:
        saml:
          kibana-realm:
            order: 2
            attributes.principal: "nameid"
            attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
            idp.metadata.path: "https://login.microsoftonline.com/common/federationmetadata/2007-06/federationmetadata.xml?appid=<our app ID>"
            idp.entity_id: "https://sts.windows.net/<our tenant ID>"
            sp.entity_id: "https://<our proxied URL>/"
            sp.acs: "https://<our proxied URL>/api/security/saml/callback"
            sp.logout: "https://<our proxied URL>/logout"

You will note in idp.metadata.path I swapped our tenant id for common. I also tried organizations.

I also note that the url reccomended by the guide for attributes.groups does not resolve properly.

Current error message is when trying to log in is:

Error: [security_exception
	Root causes:
		security_exception: Cannot get role descriptors [type/name={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor] because the metadata [location=https://login.microsoftonline.com/common/federationmetadata/2007-06/federationmetadata.xml?appid=<our app ID>] for SAML entity [id=https://sts.windows.net/<our tenant ID>] could not be resolved]: Cannot get role descriptors [type/name={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor] because the metadata [location=https://login.microsoftonline.com/common/federationmetadata/2007-06/federationmetadata.xml?appid=XXXXX] for SAML entity [id=https://sts.windows.net/<our tenant ID>] could not be resolved
    at login_form_LoginForm.loginWithSelector (https://<our proxied URL>/8aa0b59da12c/bundles/plugin/security/1.0.0/security.chunk.6.js:3:29606)

Any help would be much appreciated. Happy to send logs, but currently none are showing on the cloud 'Logs and Metrics' page.

adamwood · September 10, 2024, 6:12pm

Removed #elastic-cloud

Topic		Replies	Views
How to Azure Entra ID Groups for SAML SSO? Elasticsearch	2	173	February 29, 2024
Elasticsearch SAML problems Elasticsearch elastic-stack-security	2	123	May 8, 2024
How to allow Users access Kibana on Elastic Cloud on Azure? Kibana	3	686	August 16, 2021
Unable to enable saml for cloud deployment with Azure Kibana elastic-stack-security	6	329	January 11, 2023
Realm discovery with SAML integration Elasticsearch elastic-stack-security	7	754	August 8, 2019

Multi Tenancy Single Sign on with Microsoft Entra

Related topics