Not able to login to kibana with SAML IdP(Siteminder)

Hi,

We are trying to authenticate Elasticsearch with SAML realm using IpD(Siteminder) on a development elasticsearch setup.
https://www.elastic.co/guide/en/elasticsearch/reference/master/saml-guide-authentication.html#saml-enable-http

The following are the settings we get from siteminder team and same has been configured in elasticsearch saml realms.

idp.metadata_url: metadata xml file
idp.entity_id:  SiteMinder
sp.entity_id:   sp:xxx:xxxx
SAML Assertion Consumer Service URL:    http://<Kibana-Server>:5601/_es/_security/saml/acs/idpinitiated. 

We will use the following URL to connect to your application once you get SAML configured on the Kibana side.

https://xxx.employees.www.xxx.com/affwebservices/public/saml2sso?SPID=sp:xxx:xxxx

but while we try to connect kibana I am getting below error.
{"statusCode":404,"error":"Not Found","message":"Not Found"}

Unfortunately, this is not how this works. Siteminder (or the IDP in general) cannot dictate what the SAML Assertion Consumer Service URL will be. This is up to the Service Provider to decide and the Identity Provider needs to support this. See
https://www.elastic.co/guide/en/elasticsearch/reference/master/saml-guide-authentication.html#saml-enable-http :

The Assertion Consumer Service (ACS) endpoint is the URL within Kibana that accepts authentication messages from the IdP. This ACS endpoint supports the SAML HTTP-POST binding only. It must be a URL that is accessible from the web browser of the user who is attempting to login to Kibana, it does not need to be directly accessible by Elasticsearch or the IdP. The correct value may vary depending on how you have installed Kibana and whether there are any proxies involved, but it will typically be {kibana-url}/api/security/saml/callback where {kibana-url} is the base URL for your Kibana instance.

so in your case it needs to be

http://<Kibana-Server>:5601/api/security/saml/callback 

Also, please share your exact configuration from elasticsearch and kibana as we now can only guess how you have configured it and as such we can't make suggestions on what needs to be changed or adjusted.

but while we try to connect kibana I am getting below error.

It is always preferable to add the exact steps and the exact errors and details. " we try to connect kibana" might mean different things to different people.

  • How do you try to connect ?
  • Which URL do you try to access?

Thanks @ikakavas for your prompt response. please find below updated configuration at elastic. I am new in xpack security configuration.

Elasticsearch configuration

xpack.security.authc.token.enabled: true
xpack.security.authc.realms.saml.saml1:
  order: 2
  idp.metadata.path: "saml/SiteMinderMetadata-dev.xml"
  idp.entity_id: "SiteMinder"
  sp.entity_id:  "sp:xx:xxx"
  sp.acs: "http://xx.xx.xx.xx:5601/api/security/saml/callback"
  attributes.principal: "format:unspecified"
  attributes.groups: "roles"

Kibana configuration

xpack.security.authc.providers: [saml]
xpack.security.authc.saml.realm: saml1
server.xsrf.whitelist: [/api/security/saml/callback]

How do you try to connect ?

http://xx.xx.xx.xx:5601

Here is new error in browser.

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}

elastic logs.

[2020-05-06T11:50:22,040][WARN ][o.e.x.s.a.AuthenticationService] [elk-dev9] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[SAML Response is not a 'success' response: The SAML IdP did not grant the request. It indicated that the Elastic Stack side sent something invalid (urn:oasis:names:tc:SAML:2.0:status:Requester). Message: [The NameIDPolicy format agreement between SP and IdP is not met!] Specific status code which might indicate what the issue is: [urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy]])

This is wrong, there is not such value so this will never work. Depending on what NameID format your IDP is using you will need to adjust this as we point out in our documentation ( please take the time to read through the whole SAML guide, it will be immensely helpful for you)

Also the logs point out the exact error:

[2020-05-06T11:50:22,040][WARN ][o.e.x.s.a.AuthenticationService] [elk-dev9] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[SAML Response is not a 'success' response: The SAML IdP did not grant the request. It indicated that the Elastic Stack side sent something invalid (urn:oasis:names:tc:SAML:2.0:status:Requester). Message: [The NameIDPolicy format agreement between SP and IdP is not met!] Specific status code which might indicate what the issue is: [urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy]])

You need to go to your IDP admin and ask them what kind of formats they support for NameID. When you get your answers, you need to add:

nameid_format: <the format that your idp will tell you>    

in your saml realm configuration in elasticsearch.

@ikakavas Thanks, I am working with SAML team and update you. btw below details has been shared by SAML team, but I am not sure how I need this to be configured in saml realms.

NameID: Unspecified
Name ID Format: Unspecified
Name ID Type: User Attribute
Value: cn

Regards/-
Harsh

Error in Elastic logs:

[2020-05-08T06:10:18,135][WARN ][o.e.x.s.a.AuthenticationService] [elk-dev9] Authentication to realm saml1 failed - SAML Attribute [unspecified] for [xpack.security.authc.realms.saml.saml1.attributes.principal] not found in saml attributes[] or NameID [NameId(urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified)=xprl187]

I've already answered this above and I pointed you to our docs, please take the time to read through them :slight_smile:

Change

attributes.principal: "format:unspecified"

to

attributes.principal: nameid

and it will work .

updated attributes.principal: nameid, but now there is no error message in logs, but still not able to access.

Kibana browser response.
{"statusCode":403,"error":"Forbidden","message":"Forbidden"}

Regards/-
Harsh

Please go through our documentation as your questions are already answered in there: https://www.elastic.co/guide/en/elasticsearch/reference/7.6/saml-role-mapping.html and you won't have to wait for someone in the forums to get the time to reply !

Thanks, Let me go through the documentation. I will raise a case with elastic on monday if I am not able to resolve it. We need to take this on priority.

[2020-05-08T11:44:44,819][WARN ][o.e.x.s.a.AuthenticationService] [elk-dev9] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[SAML content is in-response-to [_becc4a673120867ff8deca5ff94f59659ebaa3d9] but expected one of [] ])

Regards/-
Harsh

I have shared known issue document with our SAML team and asked them to verify sp.entity_id .forget to mention that.

@ikakavas, I tried to follow the SAML related documentation but still I am getting below error.

{"statusCode":403,"error":"Forbidden","message":"Forbidden"}

Please help! I am sure I am missing something very basic.

Information shared by IdP:

idp.metadata_url:  metadata file attached to SID
idp.entity_id:  SiteMinder
sp.entity_id: "http://xx.xx.xx.xx:5601"
SAML Assertion Consumer Service URL:"http://xx.xx.xx.xx:5601/api/security/saml/callback"

We will use the following URL to connect to your application once you get SAML configured on the Kibana side.
SAML:https://xxx.employees.com/affwebservices/public/saml2sso?SPID=http://xx.xx.xx.xx:5601

ElasticSearch configuration

xpack.security.authc.token.enabled: true
xpack.security.authc.realms.saml.saml1:
  order: 5
  idp.metadata.path: "saml/PTC-BDM-SiteMinderMetadata-dev.xml"
  idp.entity_id: "SiteMinder"
  sp.entity_id:  "http://xx.xx.xx.xx:5601"
  sp.acs: "http://xx.xx.xx.xx:5601/api/security/saml/callback"
  attributes.principal: "nameid"
  nameid_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"

Kibana Configuration:

xpack.security.authc.providers: [saml]
xpack.security.authc.saml.realm: saml1
server.xsrf.whitelist: [/api/security/saml/callback]

Role Mapping as per document:

curl -k -u elastic:elastic -X POST "https://localhost:9200/_security/role/bdm_own_index?pretty" -H 'Content-Type: application/json' -d'
{
  "cluster": [ "manage","manage_security" ],
  "indices": [
    {
      "names": [ "*" ],
      "privileges": [ "all" ]
    }
  ]
}
'


curl -k -u elastic:elastic -X PUT "https://localhost:9200/_security/role_mapping/saml-example?pretty" -H 'Content-Type: application/json' -d'
{
  "roles": [ "bdm_own_index" ], 
  "enabled": true,
  "rules": {
    "field": { "realm.name": "saml1" }
  }
}
'

SAML Trace logs

[2020-05-11T03:33:26,858][TRACE][o.e.x.s.a.s.SamlRealm    ] [elk-dev9] Constructed SAML Authentication Request: <?xml version="1.0" encoding="UTF-8"?><saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://xx.xx.xx.xx:5601/api/security/saml/callback" Destination="https://xxx.employees.com/affwebservices/public/saml2sso" ID="_f2d5fcc2cbbdf5810d60b119bbe1177739265841" IssueInstant="2020-05-11T08:33:26.855Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0">
  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://xx.xx.xx.xx:5601</saml2:Issuer>
  <saml2p:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</saml2p:AuthnRequest>

[2020-05-11T03:33:29,365][TRACE][o.e.x.s.a.s.SamlAuthenticator] [elk-dev9] Received SAML Message: <?xml version="1.0" encoding="UTF-8"?><Response xmlns="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://xx.xx.xx.xx:5601/api/security/saml/callback" ID="_37ea1e045fb3030990e0239c5a54a94a859d" InResponseTo="_f2d5fcc2cbbdf5810d60b119bbe1177739265841" IssueInstant="2020-05-11T08:33:29Z" Version="2.0">

  <ns1:Issuer xmlns:ns1="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">SiteMinder</ns1:Issuer>

  <Status>

    <StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>

  </Status>

  <ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c7fa708b8a5b2f0ea215a3a489fd1a99f4e6" IssueInstant="2020-05-11T08:33:29Z" Version="2.0">

    <ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">SiteMinder</ns2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

      <ds:SignedInfo>

        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

        <ds:Reference URI="#_c7fa708b8a5b2f0ea215a3a489fd1a99f4e6">

          <ds:Transforms>

            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

          </ds:Transforms>

          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

          <ds:DigestValue>xNLM2WrDLR2cA6ssjGDXwtRskt8=</ds:DigestValue>

        </ds:Reference>

      </ds:SignedInfo>

      <ds:SignatureValue>
VzUlDQ2Vxh4dX8fFk8mLmMT+1PfCzSFh8RmVHi1pin9Qzg150IdOddGtC1mJ7V/3koZ/F8hI3TPE
GB6BJOMLUb2ShvBt0FtjDANiNJ6K9F3/40Ne7xYz5BxWo4Qb+KO3tAhF2MNFFif/oGg/6qkq++Th
V0Ld5mLiMFhrrfpa9C4=
</ds:SignatureValue>

      <ds:KeyInfo>

        <ds:X509Data>

          <ds:X509Certificate>
MIIG2jCCBcKgAwIBAgITbAAAB1BSmSiIw82........
</ds:X509Certificate>

        </ds:X509Data>

      </ds:KeyInfo>

    </ds:Signature>

    <ns2:Subject>

      <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">xx1234</ns2:NameID>

      <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

        <ns2:SubjectConfirmationData InResponseTo="_f2d5fcc2cbbdf5810d60b119bbe1177739265841" NotOnOrAfter="2020-05-11T08:34:59Z" Recipient="http://xx.xx.xx.xx:5601/api/security/saml/callback"/>

      </ns2:SubjectConfirmation>

    </ns2:Subject>

    <ns2:Conditions NotBefore="2020-05-11T08:32:59Z" NotOnOrAfter="2020-05-11T08:34:59Z">

      <ns2:AudienceRestriction>

        <ns2:Audience>http://xx.xx.xx.xx:5601</ns2:Audience>

      </ns2:AudienceRestriction>

    </ns2:Conditions>

    <ns2:AuthnStatement AuthnInstant="2020-05-11T08:33:27Z" SessionIndex="WStJSeMZqKBdZCKUXLrSMtTmmy0=R+4mww==">

      <ns2:AuthnContext>

        <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>

      </ns2:AuthnContext>

    </ns2:AuthnStatement>

    <ns2:AttributeStatement>

      <ns2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

        <ns2:AttributeValue>xx1234</ns2:AttributeValue>

      </ns2:Attribute>

    </ns2:AttributeStatement>

  </ns2:Assertion>

</Response>


[2020-05-11T03:33:29,372][TRACE][o.e.x.s.a.s.SamlAuthenticator] [elk-dev9] SAML Response: [
    Destination: http://xx.xx.xx.xx:5601/api/security/saml/callback
    Response ID: _37ea1e045fb3030990e0239c5a54a94a859d
    In response to: _f2d5fcc2cbbdf5810d60b119bbe1177739265841
    Response issued at:2020-05-11T08:33:29.000Z
    Issuer: SiteMinder
    Number of unencrypted Assertions: 1
    Number of encrypted Assertions: 0
]
[2020-05-11T03:33:29,373][TRACE][o.e.x.s.a.s.SamlAuthenticator] [elk-dev9] (Possibly decrypted) Assertion: <?xml version="1.0" encoding="UTF-8"?><ns2:Assertion xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c7fa708b8a5b2f0ea215a3a489fd1a99f4e6" IssueInstant="2020-05-11T08:33:29Z" Version="2.0">

  <ns2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">SiteMinder</ns2:Issuer>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

    <ds:SignedInfo>

      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

      <ds:Reference URI="#_c7fa708b8a5b2f0ea215a3a489fd1a99f4e6">

        <ds:Transforms>

          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>

          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

        </ds:Transforms>

        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

        <ds:DigestValue>xNLM2WrDLR2cA6ssjGDXwtRskt8=</ds:DigestValue>

      </ds:Reference>

    </ds:SignedInfo>

    <ds:SignatureValue>
VzUlDQ2Vxh4dX8fFk8mLmMT+1PfCzSFh8RmVHi1pin9Qzg150IdOddGtC1mJ7V/3koZ/F8hI3TPE
GB6BJOMLUb2ShvBt0FtjDANiNJ6K9F3/40Ne7xYz5BxWo4Qb+KO3tAhF2MNFFif/oGg/6qkq++Th
V0Ld5mLiMFhrrfpa9C4=
</ds:SignatureValue>

    <ds:KeyInfo>

      <ds:X509Data>

        <ds:X509Certificate>
MIIG2jCCBcKgAwIBAgITbAAAB1BSmSiIw82/OgABAAAHUDANBgkqhkiG9w0BAQsFADB6MRMwEQYK....
</ds:X509Certificate>

      </ds:X509Data>

    </ds:KeyInfo>

  </ds:Signature>

  <ns2:Subject>

    <ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">xx1234</ns2:NameID>

    <ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

      <ns2:SubjectConfirmationData InResponseTo="_f2d5fcc2cbbdf5810d60b119bbe1177739265841" NotOnOrAfter="2020-05-11T08:34:59Z" Recipient="http://xx.xx.xx.xx:5601/api/security/saml/callback"/>

    </ns2:SubjectConfirmation>

  </ns2:Subject>

  <ns2:Conditions NotBefore="2020-05-11T08:32:59Z" NotOnOrAfter="2020-05-11T08:34:59Z">

    <ns2:AudienceRestriction>

      <ns2:Audience>http://xx.xx.xx.xx:5601</ns2:Audience>

    </ns2:AudienceRestriction>

  </ns2:Conditions>

  <ns2:AuthnStatement AuthnInstant="2020-05-11T08:33:27Z" SessionIndex="WStJSeMZqKBdZCKUXLrSMtTmmy0=R+4mww==">

    <ns2:AuthnContext>

      <ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>

    </ns2:AuthnContext>

  </ns2:AuthnStatement>

  <ns2:AttributeStatement>

    <ns2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

      <ns2:AttributeValue>xx1234</ns2:AttributeValue>

    </ns2:Attribute>

  </ns2:AttributeStatement>

</ns2:Assertion>

[2020-05-11T03:33:29,375][TRACE][o.e.x.s.a.s.SamlAuthenticator] [elk-dev9] SAML Assertion: [
    Response ID: _c7fa708b8a5b2f0ea215a3a489fd1a99f4e6
    Response issued at: 2020-05-11T08:33:29.000Z
    Issuer: SiteMinder
    Number of attribute statements: 1
    Number of authentication statements: 1
]
[2020-05-11T03:33:29,378][DEBUG][o.e.x.s.a.s.SamlAuthenticator] [elk-dev9] SAML Signature [xNLM2WrDLR2cA6ssjGDXwtRskt8=
VzU...] matches credentials [SiteMinder] [Sun RSA public key, 1024 bits
  params: null
  modulus: 150037027029131405666870678801388362618216320053498627795668215182572498272193191145397960734604590393443746148705686520081897569335675904369595090475935295685099377152984753471782777896782389800665693406452143645538553304150458989515562313109296436422407479547396962393969761067262854310918826424006962964973
  public exponent: 65537]
[2020-05-11T03:33:29,378][TRACE][o.e.x.s.a.s.SamlAuthenticator] [elk-dev9] SAML Assertion was intended for the following Service providers: http://xx.xx.xx.xx:5601
[2020-05-11T03:33:29,378][TRACE][o.e.x.s.a.s.SamlAuthenticator] [elk-dev9] SAML Assertion is only valid between: 2020-05-11T08:32:59.000Z and 2020-05-11T08:34:59.000Z
[2020-05-11T03:33:29,379][TRACE][o.e.x.s.a.s.SamlAuthenticator] [elk-dev9] SAML Assertion Subject Confirmation intended recipient is: http://xx.xx.xx.xx:5601/api/security/saml/callback
[2020-05-11T03:33:29,379][TRACE][o.e.x.s.a.s.SamlAuthenticator] [elk-dev9] SAML Assertion Subject Confirmation is only valid before: 2020-05-11T08:34:59.000Z
[2020-05-11T03:33:29,379][TRACE][o.e.x.s.a.s.SamlAuthenticator] [elk-dev9] SAML Assertion Subject Confirmation is in response to: _f2d5fcc2cbbdf5810d60b119bbe1177739265841
[2020-05-11T03:33:29,379][TRACE][o.e.x.s.a.s.SamlAuthenticator] [elk-dev9] SAML AttributeStatement has [1] attributes and [0] encrypted attributes
[2020-05-11T03:33:29,379][TRACE][o.e.x.s.a.s.SamlAuthenticator] [elk-dev9] The SAML Assertion contained the following attributes:
username=[xx1234]

[2020-05-11T03:33:29,380][DEBUG][o.e.x.s.a.s.SamlRealm    ] [elk-dev9] Parsed token [SamlToken{3c526573706f6e736520786d6c6e733d2275726e3a6f617369733a6e616d65733a74633a53414d4c3a322e303a70726f746f636f6c222044657374696e617469...}] to attributes [SamlAttributes(NameId(urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified)=xx1234)[WStJSeMZqKBdZCKUXLrSMtTmmy0=R+4mww==]{[username=[xx1234]]}]

Your user now has access to necessary indices for data in Elasticsearch but no access to Kibana, give them kibana_admin role in the role mapping or look into kibana authorization for more finegrained access to kibana.

If this doesn't solve your issue somehow, enable DEBUG logging for logger.org.elasticsearch.xpack.security.authc.support.mapper and read through these logs, these will have all the necessary information. If I understood correctly, you already have a support contract so it might be worth it to raise this through your support engineer to get more timely answers and more detailed assistance.

Thanks Ioannis. Now I am able access Kibana. I will look into Kibana authorization documentations as suggested by you.
Regards/-
Harsh

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.