SAML Authentication unknown secure setting


(David F Quiroga) #1

Elasticsearch 6.3.1

Got SAML authentication up and running, final steps were to set up signing and encryption with the IdP.

Following guide and wanted to use JKS. Updated the realm setting in elasticsearch.yml and the secure settings in the elasticsearch keystore however was with met with errors and a failed startup.

java.lang.IllegalArgumentException: unknown secure setting [encryption.keystore.secure_password] did you mean [xpack.ssl.keystore.secure_password]?
java.lang.IllegalArgumentException: unknown secure setting [signing.keystore.secure_password] did you mean [xpack.ssl.keystore.secure_password]?

Did some digging around and looks like need to set the secure settings like in the tests with the full realm setting prefix.

xpack.security.authc.realms.realmname.signing.keystore.secure_password
xpack.security.authc.realms.realmname.encryption.keystore.secure_password

Perhaps the guide/documentation could be updated to make this easier to understand.


(Ioannis Kakavas) #2

Hi David ,

Thanks for your feedback. As you can see in every place in the guide you refer to, all settings are discussed relevant to xpack.security.authc.realms.saml1 . So when we for instance discuss

idp.entity_id
This is the identifier (SAML EntityID) that your IdP uses. It should match the entityID attribute within the
metadata file.

idp_entity_id goes under xpack.security.authc.realms.saml1, either as

xpack.security.authc.realms.saml1.idp_entity_id: value

or

xpack.security.authc.realms.saml1:
    idp_entity_id: value

The same applies to the signing settings

That said, we will look into how this could be made more clear in our documentation and the guide.

Thanks again


(David F Quiroga) #3

Thanks for the response. It is easy to follow along and configure the .yml
But the secure setting that needs to be set with the command-line tool is where it gets a bit unclear.


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.