Not able to login to Kibana with gsuite saml

HI,

I have enabled all the necessary features for SAML to work with ELK stack following below article on a test elk setup hosted in AWS environment
https://www.elastic.co/guide/en/elasticsearch/reference/6.5/saml-guide-authentication.html

but I am unable to make the configuration work.

I keep getting below error msg as soon as I launch the app from GSuite
//{"statusCode":404,"error":"Not Found","message":"Not Found"}

I am furnishing kibana.yml and elasticsearch.yml for reference

elasticsearch.yml
<xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: /etc/elasticsearch/mydomain.com.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/mydomain.com.crt
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/rootCA.crt" ]

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /etc/elasticsearch/mydomain.com.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/mydomain.com.crt
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/rootCA.crt" ]

xpack.security.authc.token.enabled: true

xpack.security.authc.realms.native.native1:
order: 0

xpack.security.authc.realms.saml.saml1:
order: 1
idp.metadata.path: /etc/elasticsearch/idp-external.xml
idp.entity_id: "https://accounts.google.com/o/saml2?idpid=xxxxxxxxxxxx"
sp.entity_id: "https://<aws_public_ip>:5601/"
sp.acs: "https://<aws_public_ip>:5601/api/security/v1/saml"
sp.logout: "https://<aws_public_ip>:5601/logout"
attributes.principal: "nameid:persistent"
attributes.groups: "roles"/>

Kibana.yml
<server.ssl.enabled: true
server.ssl.key: /home/ubuntu/data/mydomain.com.key
server.ssl.certificate: /home/ubuntu/data/mydomain.com.crt
xpack.security.authProviders: [saml]
xpack.security.authc.saml.realm: saml1
server.xsrf.whitelist: [/api/security/v1/saml] />

GSUITE details
ACS URL: https://<aws_pub_ip>:5601/api/security/saml/v1/saml
Entity ID: https://<aws_pub_ip>:5601

Please help me out, do let me know if more info is required

Please don't post unformatted code, logs, or configuration as it's very hard to read.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

  • Is elasticsearch and kibana running fine after you set the configuration ?
  • What does "I launch the app from GSuite" mean exactly ? Do you click on a link/button in Gsuite ? If so, what is the URL that this link points to ?

  • Where do you get this message from ? What is the URL on your browser when that message is shown ?

  • What happens when you try to navigate to https://<aws_pub_ip>:5601 ? Do you get redirected to google to authenticate ?

Apologies for not formatting the question @ikakavas.
Please find answer's to your questions.

  • Is elasticsearch and kibana running fine after you set the configuration ?
    Yes I am able to access elasticsearch and kibana with their respective url's. They both are hosted in same machines and ssl is configured for both of them.

  • What does "I launch the app from GSuite" mean exactly ? Do you click on a link/button in Gsuite ? If so, what is the URL that this link points to ?
    I have created a GSuite custom saml app for kibana, which I am trying to launch.
    The URL points to " https://<aws_pub_ip>:5601/api/security/saml/v1/saml"

  • Where do you get this message from ? What is the URL on your browser when that message is shown ?
    When I try to launch the app from GSuite it throws the mentioned error. The url on the browser is https://<aws_pub_ip>:5601/api/security/saml/v1/saml
    Note: I also see the same message when I try to access this url from my browser.

  • What happens when you try to navigate to https://<aws_pub_ip>:5601 ? Do you get redirected to google to authenticate ?
    When I try to access the above url it takes me to Kibana homepage. I am not redirected to google to authenticate.

Your Gsuite configuration appears to be wrong.

ACS URL: https://<aws_pub_ip>:5601/api/security/saml/v1/saml

should be the same value as your elasticsearch SAML realm configuration and the URL where kibana can handle requests which is

https://<aws_public_ip>:5601/api/security/v1/saml

Thanks @ikakavas it has solved that issue, but now has lead to different issue.

As soon as I changed the ACS url It asked me to enable xpack.security.enabled: true in elasticsearch.yml which I did, following that I am receiving below errors in kibana
Browser shows Kibana server is not ready yet

an 28 14:48:51 ip-xx-xx-xx kibana[27260]: {"type":"log","@timestamp":"2020-01-28T14:48:51Z","tags":["warning","plugins","licensing"],"pid":27260,"message":"License information could not be obtained from Elasticsearch for the [data] cluster. [security_exception] missing authentication credentials for REST request [/_xpack], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } } :: {\"path\":\"/_xpack\",\"statusCode\":401,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"missing authentication credentials for REST request [/_xpack]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":[\\\"Bearer realm=\\\\\\\"security\\\\\\\"\\\",\\\"ApiKey\\\",\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"]}}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"missing authentication credentials for REST request [/_xpack]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":[\\\"Bearer realm=\\\\\\\"security\\\\\\\"\\\",\\\"ApiKey\\\",\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"]}},\\\"status\\\":401}\",\"wwwAuthenticateDirective\":\"Bearer realm=\\\"security\\\", ApiKey, Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}"}

My question is do we have to enable xpack.security.enabled: true since document does not state that.

Yes, you need to have security enabled to use any authentication features.

This is not explicitly mentioned in every page of every authentication realm, but if you would read the documentation , you'd start from something like which does mention it https://www.elastic.co/guide/en/elasticsearch/reference/7.5/configuring-security.html

Also, in https://www.elastic.co/guide/en/elasticsearch/reference/7.5/saml-guide-authentication.html we mention that you need to enable the TokenService and TLS for the HTTP layer, which you can't do without security enabled.

I would think that duplicating this information (to set xpack.security.enabled: true ) in every part of the docs that refer to any security feature is too verbose, but I'll bring this up and see if we can make it any clearer for users. Thanks for the feedback!

Thanks for the clarification, so does that also mean I need to set basic security for elasticsearch (username/password) or will it be offloaded to SAML in case of SAML configuration?

See the IMPORTANT part in https://www.elastic.co/guide/en/elasticsearch/reference/7.5/saml-guide-authentication.html#saml-create-realm . In general, read through the relevant documentation once, it will hopefully answer many of your questions and give you a solid base to work on your integration!

1 Like

@ikakavas thanks for all the help, I was able to somehow resolve the issue until I landed on this error.
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] current license is non-compliant for [saml], with { license.expired.feature=\"saml\" }"}
For testing purpose I am using self signed certificates for ELK stack. Can you please let me know if SAML can work with self signed certificates. I have read through the article you mentioned but can't get my head around certificates.

This has nothing to do with certificates.

SAML is available with a platinum license and you are using a basic license. ( see here for information on what is available and under which license )

You can start a trial license for 30 days if you want to test out SAML.

Hi @ikakavas, I enabled trial license and have updated my elasticsearch.yml and kibana.yml to below configurations

elasticsearch.yml
-------------------------
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: /etc/elasticsearch/mydomain.com.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/mydomain.com.crt
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/rootCA.crt" ]

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /etc/elasticsearch/mydomain.com.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/mydomain.com.crt
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/rootCA.crt" ]

xpack.security.authc.token.enabled: true
xpack.security.authc.realms.native.native1:
  order: 0

xpack.security.authc.realms.saml.saml1:
  order: 2
  idp.metadata.path: /etc/elasticsearch/idp-external.xml
  idp.entity_id: "https://accounts.google.com/o/saml2?idpid=xxxxxxx"
  sp.entity_id: "https://aws_pub_ip:5601"
  sp.acs: "https://aws_pub_ip:5601/api/security/v1/saml"
  sp.logout: "https://aws_pub_ip:5601/logout"
  attributes.principal: "nameid"
  nameid_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
  attributes.mail: "user@domain.com"
kibana.yml
-----------------
elasticsearch.hosts: ["https://aws_pub_ip:9200"]
elasticsearch.username: kibana
elasticsearch.password: xxxxxxx
elasticsearch.ssl.certificateAuthorities: /home/ubuntu/data/rootCA.crt
elasticsearch.ssl.verificationMode: certificate
server.ssl.enabled: true
server.ssl.key: /home/ubuntu/data/mydomain.com.key
server.ssl.certificate: /home/ubuntu/data/mydomain.com.crt
xpack.security.authProviders: [saml]
xpack.security.authc.saml.realm: saml1
server.xsrf.whitelist: [/api/security/v1/saml]

When I try to open app from GSuite I am getting
{"statusCode":403,"error":"Forbidden","message":"Forbidden"} error msg

I have almost tried all settings to make it work but I am unable to login to Kibana. Can you please help and let me know if I am missing something in configuration.

https://www.elastic.co/guide/en/elasticsearch/reference/7.5/saml-role-mapping.html

1 Like

Thanks @ikakavas finally I was able to resolve the issue. Thank you for all the guidance.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.