SAML configuration - Azure Active Directory

Hey, I've followed the SAML config documentation and setup elasticsearch & kibana. However, I am encountering errors when attempting to use the SAML login (basic still works).

Version info: v7.0.1 (elasticsearch and kibana)

Here is what I currently see in my kibana logs:

{
   "type":"log",
   "@timestamp":"2019-05-22T19:36:28Z",
   "tags":[
      "info",
      "authentication"
   ],
   "pid":1,
   "message":"Authentication attempt failed: [security_exception] Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://test-kibana.lcbo.com:443/api/security/v1/saml}]"
}

{
   "type":"error",
   "@timestamp":"2019-05-22T19:36:28Z",
   "tags":[

   ],
   "pid":1,
   "level":"error",
   "error":{
      "message":"[security_exception] Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://test-kibana.lcbo.com:443/api/security/v1/saml}]",
      "name":"Error",
      "stack":"[security_exception] Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://test-kibana.lcbo.com:443/api/security/v1/saml}] :: {\"path\":\"/_security/saml/prepare\",\"query\":{},\"body\":\"{\\\"acs\\\":\\\"https://test-kibana.lcbo.com:443/api/security/v1/saml\\\"}\",\"statusCode\":500,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://test-kibana.lcbo.com:443/api/security/v1/saml}]\\\"}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://test-kibana.lcbo.com:443/api/security/v1/saml}]\\\"},\\\"status\\\":500}\"}\n    at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:308:15)\n    at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:267:7)\n    at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:166:7)\n    at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4935:19)\n    at IncomingMessage.emit (events.js:194:15)\n    at endReadableNT (_stream_readable.js:1103:12)\n    at process._tickCallback (internal/process/next_tick.js:63:19)"
   },
   "url":{
      "protocol":null,
      "slashes":null,
      "auth":null,
      "host":null,
      "port":null,
      "hostname":null,
      "hash":null,
      "search":null,
      "query":{

      },
      "pathname":"/",
      "path":"/",
      "href":"/"
   },
   "message":"[security_exception] Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://test-kibana.lcbo.com:443/api/security/v1/saml}]"
}

Here is my elasticsearch config file (edited to hide sensitive info):

cluster:
  name: ${CLUSTER_NAME}
  initial_master_nodes:
    - es-master-0

node:
  master: ${NODE_MASTER}
  name: ${NODE_NAME}
  data: ${NODE_DATA}
  ingest: ${NODE_INGEST}
  max_local_storage_nodes: ${MAX_LOCAL_STORAGE_NODES}

network:
  host: ${NETWORK_HOST}

path:
  data: /data/data
  logs: /data/log

bootstrap:
  memory_lock: ${MEMORY_LOCK}

http:
  compression: true
  cors:
    enabled: ${HTTP_CORS_ENABLE}
    allow-origin: ${HTTP_CORS_ALLOW_ORIGIN}

discovery:
  seed_hosts: ${DISCOVERY_SERVICE}

xpack:
  license.self_generated.type: trial
  security:
    enabled: true
    transport:
      ssl:
        enabled: true
        verification_mode: none
        keystore.path: /usr/share/elasticsearch/config/certs/elk-cert.p12
        truststore.path: /usr/share/elasticsearch/config/certs/elk-cert.p12
    http:
      ssl:
        enabled: true
        verification_mode: none
        keystore.path: /usr/share/elasticsearch/config/certs/elk-cert.p12
        truststore.path: /usr/share/elasticsearch/config/certs/elk-cert.p12
    authc:
      token:
        enabled: true
      realms:
        file:
          file1:
            order: 0
        saml:
          saml1:
            order: 2
            idp.metadata.path: "<AAD_federation_XML_URL>"
            idp.entity_id: "<EntityID_URL_from_metadata_xml_above>"
            sp.entity_id:  "https://test-kibana.lcbo.com/"
            sp.acs: "https://test-kibana.lcbo.com/api/security/v1/saml"
            sp.logout: "https://test-kibana.lcbo.com/logout"
            attributes.principal: "urn:oid:0.9.2342.19200300.100.1.1"
            attributes.groups: "urn:oid:1.3.6.1.4.1.5923.1.5.1."
  monitoring:
    enabled: true

## Threadpool Settings ##
thread_pool:
  # Write
  write:
    queue_size: 3000
  search:
    size: 30
    queue_size: 500
    min_queue_size: 10
    max_queue_size: 1000
    auto_queue_frame_size: 2000
    target_response_time: 1s

Here is my kibana config:

server:
  name: kibana
  host: "0.0.0.0"
  xsrf.whitelist: [/api/security/v1/saml]

elasticsearch:
  ssl:
    certificateAuthorities: /usr/share/kibana/config/certs/elk-cert.p12
    verificationMode: none
  username: kibana
  password: <hidden>
  hosts: ["https://elasticsearch:9200"]

xpack:
  security:
    authProviders: [saml, basic]
    public:
      protocol: https
      hostname: test-kibana.lcbo.com
      port: 443
    encryptionKey: "<hidden>"
  monitoring:
    enabled: true
    ui.container.elasticsearch.enabled: true
    elasticsearch:
      ssl:
        certificateAuthorities: /usr/share/kibana/config/certs/elk-cert.p12
        verificationMode: none

Any ideas where this is failing? I am able to login to the kibana instance using the /login page (basic auth), however I have not been able to get past the above error.

I've followed this troubleshooting topic and it did not prove to be helpful: https://www.elastic.co/guide/en/elastic-stack-overview/7.0/trb-security-saml.html

Thanks!

I see a couple of potential issues:

I believe these also must include the port (even though you're using the default HTTPS port of 443).

These values do not look like ones that are typically found within the claims that Azure Active Directory supports. If you request the App Federation Metadata URL to retrieve the XML that lists the supported claims, amongst other metadata, it'll look something like

<?xml version="1.0" encoding="ISO-8859-1"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://sts.windows.net/{id}/" ID="{id}">
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <!-- snip for brevity -->
    </Signature>
    <RoleDescriptor xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706" xsi:type="fed:SecurityTokenServiceType">
        <KeyDescriptor use="signing">
            <!-- snip for brevity -->
        </KeyDescriptor>
        <fed:ClaimTypesOffered>
            <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
                <auth:DisplayName>Name</auth:DisplayName>
                <auth:Description>The mutable display name of the user.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier">
                <auth:DisplayName>Subject</auth:DisplayName>
                <auth:Description>An immutable, globally unique, non-reusable identifier of the user that is unique to the application for which a token is issued.</auth:Description>
            </auth:ClaimType>
            <!-- etc... -->
        </fed:ClaimTypesOffered>
    </RoleDescriptor>
</EntityDescriptor>

Under <fed:ClaimTypesOffered> are the claims supported by Azure Active Directory, where the Uri value is the one to use in elasticsearch.yml for configuring the SAML realm.

For example, Elastic's Azure Marketplace template uses http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name for attributes.principal, which is the Name claim above.

Hey,

Thanks for the quick reply. The changes you made have helped. Here are the updated snippets for anyone else reading this:

idp.metadata.path: "<redacted>"
idp.entity_id: "<redacted>"
sp.entity_id:  "https://test-kibana.lcbo.com:443/"
sp.acs: "https://test-kibana.lcbo.com:443/api/security/v1/saml"
sp.logout: "https://test-kibana.lcbo.com:443/logout"
attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"

The above changes worked and now when I hit test-kibana.lcbo.com, I am successfully redirected to the AD login page. However, after logging in (successfully), I am redirected back to Kibana and see this in my browser:

{
  "statusCode":403,
  "error":"Forbidden",
  "message":"Forbidden"
}

And this in my Kibana logs:

{
   "type":"response",
   "@timestamp":"2019-05-23T14:35:43Z",
   "tags":[

   ],
   "pid":1,
   "method":"post",
   "statusCode":302,
   "req":{
      "url":"/api/security/v1/saml",
      "method":"post",
      "headers":{
         "host":"test-kibana.lcbo.com",
         "x-request-id":"9d564999edde715162ee00cdc57227cd",
         "x-real-ip":"<redacted>",
         "x-forwarded-for":"<redacted>",
         "x-forwarded-host":"test-kibana.lcbo.com",
         "x-forwarded-port":"443",
         "x-forwarded-proto":"https",
         "x-original-uri":"/api/security/v1/saml",
         "x-scheme":"https",
         "content-length":"7321",
         "user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0",
         "accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
         "accept-language":"en-US,en;q=0.5",
         "accept-encoding":"gzip, deflate, br",
         "referer":"https://login.microsoftonline.com/",
         "content-type":"application/x-www-form-urlencoded",
         "dnt":"1",
         "upgrade-insecure-requests":"1"
      },
      "remoteAddress":"<redacted>",
      "userAgent":"<redacted>",
      "referer":"https://login.microsoftonline.com/"
   },
   "res":{
      "statusCode":302,
      "responseTime":515,
      "contentLength":9
   },
   "message":"POST /api/security/v1/saml 302 515ms - 9.0B"
}{
   "type":"response",
   "@timestamp":"2019-05-23T14:35:43Z",
   "tags":[

   ],
   "pid":1,
   "method":"get",
   "statusCode":403,
   "req":{
      "url":"/",
      "method":"get",
      "headers":{
         "host":"test-kibana.lcbo.com",
         "x-request-id":"<redacted>",
         "x-real-ip":"<redacted>",
         "x-forwarded-for":"<redacted>",
         "x-forwarded-host":"test-kibana.lcbo.com",
         "x-forwarded-port":"443",
         "x-forwarded-proto":"https",
         "x-original-uri":"/",
         "x-scheme":"https",
         "user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0",
         "accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
         "accept-language":"en-US,en;q=0.5",
         "accept-encoding":"gzip, deflate, br",
         "referer":"https://login.microsoftonline.com/",
         "dnt":"1",
         "upgrade-insecure-requests":"1"
      },
      "remoteAddress":"<redacted>",
      "userAgent":"<redacted>",
      "referer":"https://login.microsoftonline.com/"
   },
   "res":{
      "statusCode":403,
      "responseTime":127,
      "contentLength":9
   },
   "message":"GET / 403 127ms - 9.0B"
}

I am unsure why this request is being rejected from Kibana after the successful login since I am unable to see any other messages. The rest of the config is the same as my first post.

Thanks again for your help, greatly appreciated.

I resolved this myself. I was missing the role mapping from AD roles -> elasticsearch roles.

Thanks for your help!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.