SAML authentication request scoping (using IDP proxy)

Cap_Ho · February 22, 2022, 4:34pm

Hi all,

I am now trying to test the ELK do auth using SAML. the basic flow is ok since i may follow the documentation. But i think that one of the case is not fit. i would like to use ELK as SP and connect to a IDP proxy and forward to request the real IDP. But i find that there is no configuration in Elasticsearch so that i may create the tag in saml authnrequest xml. So i cannot use the IDP approach. Any idea on that?

thx

capho

ikakavas · February 22, 2022, 4:43pm

Hi there,

What tag would that be ? Can you point us to the relevant specification that describes the idp proxy flow that you’re trying to implement ? Thanks !

Cap_Ho · February 23, 2022, 5:04am

Hi @ikakavas ,

I referencing the documentation for the IDP proxy setup

https://wikis.forgerock.org/confluence/display/openam/SAMLv2+IDP+Proxy+Part+1.+Setting+up+a+simple+Proxy+scenario

https://docs.oracle.com/cd/E19316-01/820-3746/ghgfu/index.html

One of the criteria on setting up IDP proxy is that the SP (that mean ELK) need to enable the IDP proxy in the authrequest. But Elasticsearch.yaml don't have this configuration.

So the request for a IDP proxy support then should be :

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    ID="s27974e1a9401fcf8031f0fb001fc297f03def1398"
                    Version="2.0"
                    IssueInstant="2022-02-22T15:11:47Z"
                    Destination="http://idpproxy.example.com:8084/openamIDPProxy/SSORedirect/metaAlias/proxyidp"
                    ForceAuthn="false" IsPassive="false"
                    ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                    AssertionConsumerServiceURL="http://sp.example.net:8082/openamSP/Consumer/metaAlias/sp">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://sp.example.net:8082/openamSP</saml:Issuer>
    <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                        Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                        SPNameQualifier="http://sp.example.net:8082/openamSP" AllowCreate="true"></samlp:NameIDPolicy>
    <samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact">
        <saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
            urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
        </saml:AuthnContextClassRef>
    </samlp:RequestedAuthnContext>
    <samlp:Scoping xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ProxyCount="2">
    </samlp:Scoping>
</samlp:AuthnRequest>

The samlp:Scoping/ is required for the IDP proxy

    <samlp:Scoping xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ProxyCount="2">
    </samlp:Scoping>

But since there are not similar options in Elasticsearch.yaml. i may just make it like:

xpack.security.authc.realms.saml.saml1:
  order: 2
  idp.metadata.path: saml/idp-metadata.xml
  idp.entity_id: "idpproxy.example.com"
  sp.entity_id:  "kibana.example.com"
  sp.acs: "http://kibana.example.com/api/security/saml/callback"
  sp.logout: "http://kibana.example.com/logout"
  attributes.principal: "nameid"
  attributes.groups: "roles"
  nameid_format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  nameid.allow_create: true
  force_authn : true
  nameid.sp_qualifier: "kibana.example.com"
  req_authn_context_class_ref: "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"

so that the Kibana generated Authrequest will be

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                     ID="_ac8bafc45f29621b382132dceb5730f6bce7ead0"
                     Version="2.0"
                     IssueInstant="2022-02-22T15:34:29.791Z"
                     Destination="http://idpproxy.example.com:8084/openamIDPProxy/SSORedirect/metaAlias/proxyidp"

                     ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                     AssertionConsumerServiceURL="http://kibana.example.com/api/security/saml/callback">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">kibana.example.com</saml2:Issuer>
    <saml2p:NameIDPolicy AllowCreate="true"
                         Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient"
                         SPNameQualifier="kibana.example.com"/>
    <saml2p:RequestedAuthnContext Comparison="exact">
        <saml2:AuthnContextClassRef xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
            urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
        </saml2:AuthnContextClassRef>
    </saml2p:RequestedAuthnContext>
</saml2p:AuthnRequest>

So i just want to see how to add the "Scoping" field in the Kibana request for my IDP proxy route

thx

capho

ikakavas · February 23, 2022, 8:39am

Thanks for the additional details ! We unfortunately don’t support this as you have figured out. I see you have opened an issue in our GitHub repository so you can keep track of the progress there.

Cap_Ho · February 27, 2022, 3:14pm

One more question, i will trying to setup the SSO connection using ELK (version 8) with OpenAM. i find that the NameID policy : "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" is never work. Only other nameid policy is working. Is it Elasticsearch don't allow ?

ikakavas · February 27, 2022, 4:04pm

This is hardly enough information for anyone to help you. Can you please explain how it does not work with this nameid policy ? What do you expect to happen, what happens instead ? What is the error message ? What are the associated logs ?

system · March 27, 2022, 4:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.