Not able to login to Kibana with gsuite saml

Ravi_Gusain · January 28, 2020, 9:28am

HI,

I have enabled all the necessary features for SAML to work with ELK stack following below article on a test elk setup hosted in AWS environment
https://www.elastic.co/guide/en/elasticsearch/reference/6.5/saml-guide-authentication.html

but I am unable to make the configuration work.

I keep getting below error msg as soon as I launch the app from GSuite
//{"statusCode":404,"error":"Not Found","message":"Not Found"}

I am furnishing kibana.yml and elasticsearch.yml for reference

elasticsearch.yml
<xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: /etc/elasticsearch/mydomain.com.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/mydomain.com.crt
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/rootCA.crt" ]

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /etc/elasticsearch/mydomain.com.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/mydomain.com.crt
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/rootCA.crt" ]

xpack.security.authc.token.enabled: true

xpack.security.authc.realms.native.native1:
order: 0

xpack.security.authc.realms.saml.saml1:
order: 1
idp.metadata.path: /etc/elasticsearch/idp-external.xml
idp.entity_id: "https://accounts.google.com/o/saml2?idpid=xxxxxxxxxxxx"
sp.entity_id: "https://<aws_public_ip>:5601/"
sp.acs: "https://<aws_public_ip>:5601/api/security/v1/saml"
sp.logout: "https://<aws_public_ip>:5601/logout"
attributes.principal: "nameid:persistent"
attributes.groups: "roles"/>

Kibana.yml
<server.ssl.enabled: true
server.ssl.key: /home/ubuntu/data/mydomain.com.key
server.ssl.certificate: /home/ubuntu/data/mydomain.com.crt
xpack.security.authProviders: [saml]
xpack.security.authc.saml.realm: saml1
server.xsrf.whitelist: [/api/security/v1/saml] />

GSUITE details
ACS URL: https://<aws_pub_ip>:5601/api/security/saml/v1/saml
Entity ID: https://<aws_pub_ip>:5601

Please help me out, do let me know if more info is required

ikakavas · January 28, 2020, 1:01pm

Please don't post unformatted code, logs, or configuration as it's very hard to read.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

Is elasticsearch and kibana running fine after you set the configuration ?

What does "I launch the app from GSuite" mean exactly ? Do you click on a link/button in Gsuite ? If so, what is the URL that this link points to ?
Where do you get this message from ? What is the URL on your browser when that message is shown ?
What happens when you try to navigate to https://<aws_pub_ip>:5601 ? Do you get redirected to google to authenticate ?

Ravi_Gusain · January 28, 2020, 2:12pm

Apologies for not formatting the question @ikakavas.
Please find answer's to your questions.

Is elasticsearch and kibana running fine after you set the configuration ?
Yes I am able to access elasticsearch and kibana with their respective url's. They both are hosted in same machines and ssl is configured for both of them.
What does "I launch the app from GSuite" mean exactly ? Do you click on a link/button in Gsuite ? If so, what is the URL that this link points to ?
I have created a GSuite custom saml app for kibana, which I am trying to launch.
The URL points to " https://<aws_pub_ip>:5601/api/security/saml/v1/saml"
Where do you get this message from ? What is the URL on your browser when that message is shown ?
When I try to launch the app from GSuite it throws the mentioned error. The url on the browser is https://<aws_pub_ip>:5601/api/security/saml/v1/saml
Note: I also see the same message when I try to access this url from my browser.
What happens when you try to navigate to https://<aws_pub_ip>:5601 ? Do you get redirected to google to authenticate ?
When I try to access the above url it takes me to Kibana homepage. I am not redirected to google to authenticate.

ikakavas · January 28, 2020, 2:25pm

Your Gsuite configuration appears to be wrong.

ACS URL: https://<aws_pub_ip>:5601/api/security/saml/v1/saml

should be the same value as your elasticsearch SAML realm configuration and the URL where kibana can handle requests which is

https://<aws_public_ip>:5601/api/security/v1/saml

Ravi_Gusain · January 28, 2020, 2:55pm

Thanks @ikakavas it has solved that issue, but now has lead to different issue.

As soon as I changed the ACS url It asked me to enable xpack.security.enabled: true in elasticsearch.yml which I did, following that I am receiving below errors in kibana
Browser shows Kibana server is not ready yet

an 28 14:48:51 ip-xx-xx-xx kibana[27260]: {"type":"log","@timestamp":"2020-01-28T14:48:51Z","tags":["warning","plugins","licensing"],"pid":27260,"message":"License information could not be obtained from Elasticsearch for the [data] cluster. [security_exception] missing authentication credentials for REST request [/_xpack], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } } :: {\"path\":\"/_xpack\",\"statusCode\":401,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"missing authentication credentials for REST request [/_xpack]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":[\\\"Bearer realm=\\\\\\\"security\\\\\\\"\\\",\\\"ApiKey\\\",\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"]}}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"missing authentication credentials for REST request [/_xpack]\\\",\\\"header\\\":{\\\"WWW-Authenticate\\\":[\\\"Bearer realm=\\\\\\\"security\\\\\\\"\\\",\\\"ApiKey\\\",\\\"Basic realm=\\\\\\\"security\\\\\\\" charset=\\\\\\\"UTF-8\\\\\\\"\\\"]}},\\\"status\\\":401}\",\"wwwAuthenticateDirective\":\"Bearer realm=\\\"security\\\", ApiKey, Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}"}

My question is do we have to enable xpack.security.enabled: true since document does not state that.

ikakavas · January 28, 2020, 3:06pm

Yes, you need to have security enabled to use any authentication features.

This is not explicitly mentioned in every page of every authentication realm, but if you would read the documentation , you'd start from something like which does mention it https://www.elastic.co/guide/en/elasticsearch/reference/7.5/configuring-security.html

Also, in https://www.elastic.co/guide/en/elasticsearch/reference/7.5/saml-guide-authentication.html we mention that you need to enable the TokenService and TLS for the HTTP layer, which you can't do without security enabled.

I would think that duplicating this information (to set xpack.security.enabled: true ) in every part of the docs that refer to any security feature is too verbose, but I'll bring this up and see if we can make it any clearer for users. Thanks for the feedback!

Ravi_Gusain · January 28, 2020, 3:34pm

Thanks for the clarification, so does that also mean I need to set basic security for elasticsearch (username/password) or will it be offloaded to SAML in case of SAML configuration?

ikakavas · January 28, 2020, 3:36pm

See the IMPORTANT part in https://www.elastic.co/guide/en/elasticsearch/reference/7.5/saml-guide-authentication.html#saml-create-realm . In general, read through the relevant documentation once, it will hopefully answer many of your questions and give you a solid base to work on your integration!

Ravi_Gusain · January 28, 2020, 5:19pm

@ikakavas thanks for all the help, I was able to somehow resolve the issue until I landed on this error.
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] current license is non-compliant for [saml], with { license.expired.feature=\"saml\" }"}
For testing purpose I am using self signed certificates for ELK stack. Can you please let me know if SAML can work with self signed certificates. I have read through the article you mentioned but can't get my head around certificates.

ikakavas · January 28, 2020, 5:44pm

This has nothing to do with certificates.

SAML is available with a platinum license and you are using a basic license. ( see here for information on what is available and under which license )

You can start a trial license for 30 days if you want to test out SAML.

Ravi_Gusain · January 29, 2020, 9:23am

Hi @ikakavas, I enabled trial license and have updated my elasticsearch.yml and kibana.yml to below configurations

elasticsearch.yml
-------------------------
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.key: /etc/elasticsearch/mydomain.com.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/mydomain.com.crt
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/rootCA.crt" ]

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /etc/elasticsearch/mydomain.com.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/mydomain.com.crt
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/rootCA.crt" ]

xpack.security.authc.token.enabled: true
xpack.security.authc.realms.native.native1:
  order: 0

xpack.security.authc.realms.saml.saml1:
  order: 2
  idp.metadata.path: /etc/elasticsearch/idp-external.xml
  idp.entity_id: "https://accounts.google.com/o/saml2?idpid=xxxxxxx"
  sp.entity_id: "https://aws_pub_ip:5601"
  sp.acs: "https://aws_pub_ip:5601/api/security/v1/saml"
  sp.logout: "https://aws_pub_ip:5601/logout"
  attributes.principal: "nameid"
  nameid_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
  attributes.mail: "user@domain.com"

kibana.yml
-----------------
elasticsearch.hosts: ["https://aws_pub_ip:9200"]
elasticsearch.username: kibana
elasticsearch.password: xxxxxxx
elasticsearch.ssl.certificateAuthorities: /home/ubuntu/data/rootCA.crt
elasticsearch.ssl.verificationMode: certificate
server.ssl.enabled: true
server.ssl.key: /home/ubuntu/data/mydomain.com.key
server.ssl.certificate: /home/ubuntu/data/mydomain.com.crt
xpack.security.authProviders: [saml]
xpack.security.authc.saml.realm: saml1
server.xsrf.whitelist: [/api/security/v1/saml]

When I try to open app from GSuite I am getting
{"statusCode":403,"error":"Forbidden","message":"Forbidden"} error msg

I have almost tried all settings to make it work but I am unable to login to Kibana. Can you please help and let me know if I am missing something in configuration.

ikakavas · January 29, 2020, 9:39am

Ravi_Gusain · January 30, 2020, 5:55am

Thanks @ikakavas finally I was able to resolve the issue. Thank you for all the guidance.

system · February 27, 2020, 5:55am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kibana SAML authentication issue Elasticsearch elastic-stack-security	16	8019	March 14, 2018
Using GSuite for SAML integration with Elastic Stack (ElasticSearch + Kibana) Elastic Cloud Enterprise (ECE) elastic-stack-security	3	3376	December 21, 2018
SSO not working on ECK with Oracle cloud IDP Elasticsearch elastic-stack-security	2	14	October 24, 2024
SAML error with ELK Stack Elasticsearch elastic-stack-security	51	3766	May 1, 2019
SAML OKTA on KIBANA not working Elasticsearch elastic-stack-security	5	1119	February 25, 2020

Not able to login to Kibana with gsuite saml

Related Topics