HI Folks, we are using Elastic Cloud, and would like to set up Single Sign on using Microsoft Entra, with the addition of using multiple (any) Microsoft Azure Tenants. I would like to achieve this without needing to register Entra Applications on each tenant.
I can use Set up SAML with Microsoft Entra ID | Elastic to get this working for our tenant, but have not been able to convert it to work multi tenant.
Our Entra App Registration is configured for multi tenant, yet I haven't quite figured out the elasticsearch.yml config to get this working.
Here is our elasticsearch.yml
xpack:
security:
authc:
realms:
saml:
kibana-realm:
order: 2
attributes.principal: "nameid"
attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
idp.metadata.path: "https://login.microsoftonline.com/common/federationmetadata/2007-06/federationmetadata.xml?appid=<our app ID>"
idp.entity_id: "https://sts.windows.net/<our tenant ID>"
sp.entity_id: "https://<our proxied URL>/"
sp.acs: "https://<our proxied URL>/api/security/saml/callback"
sp.logout: "https://<our proxied URL>/logout"
You will note in idp.metadata.path
I swapped our tenant id for common
. I also tried organizations
.
I also note that the url reccomended by the guide for attributes.groups
does not resolve properly.
Current error message is when trying to log in is:
Error: [security_exception
Root causes:
security_exception: Cannot get role descriptors [type/name={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor] because the metadata [location=https://login.microsoftonline.com/common/federationmetadata/2007-06/federationmetadata.xml?appid=<our app ID>] for SAML entity [id=https://sts.windows.net/<our tenant ID>] could not be resolved]: Cannot get role descriptors [type/name={urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor] because the metadata [location=https://login.microsoftonline.com/common/federationmetadata/2007-06/federationmetadata.xml?appid=XXXXX] for SAML entity [id=https://sts.windows.net/<our tenant ID>] could not be resolved
at login_form_LoginForm.loginWithSelector (https://<our proxied URL>/8aa0b59da12c/bundles/plugin/security/1.0.0/security.chunk.6.js:3:29606)
Any help would be much appreciated. Happy to send logs, but currently none are showing on the cloud 'Logs and Metrics' page.