Hey, I've followed the SAML config documentation and setup elasticsearch & kibana. However, I am encountering errors when attempting to use the SAML login (basic still works).
Version info: v7.0.1 (elasticsearch and kibana)
Here is what I currently see in my kibana logs:
{
"type":"log",
"@timestamp":"2019-05-22T19:36:28Z",
"tags":[
"info",
"authentication"
],
"pid":1,
"message":"Authentication attempt failed: [security_exception] Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://test-kibana.lcbo.com:443/api/security/v1/saml}]"
}
{
"type":"error",
"@timestamp":"2019-05-22T19:36:28Z",
"tags":[
],
"pid":1,
"level":"error",
"error":{
"message":"[security_exception] Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://test-kibana.lcbo.com:443/api/security/v1/saml}]",
"name":"Error",
"stack":"[security_exception] Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://test-kibana.lcbo.com:443/api/security/v1/saml}] :: {\"path\":\"/_security/saml/prepare\",\"query\":{},\"body\":\"{\\\"acs\\\":\\\"https://test-kibana.lcbo.com:443/api/security/v1/saml\\\"}\",\"statusCode\":500,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://test-kibana.lcbo.com:443/api/security/v1/saml}]\\\"}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://test-kibana.lcbo.com:443/api/security/v1/saml}]\\\"},\\\"status\\\":500}\"}\n at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:308:15)\n at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:267:7)\n at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:166:7)\n at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4935:19)\n at IncomingMessage.emit (events.js:194:15)\n at endReadableNT (_stream_readable.js:1103:12)\n at process._tickCallback (internal/process/next_tick.js:63:19)"
},
"url":{
"protocol":null,
"slashes":null,
"auth":null,
"host":null,
"port":null,
"hostname":null,
"hash":null,
"search":null,
"query":{
},
"pathname":"/",
"path":"/",
"href":"/"
},
"message":"[security_exception] Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://test-kibana.lcbo.com:443/api/security/v1/saml}]"
}
Here is my elasticsearch config file (edited to hide sensitive info):
cluster:
name: ${CLUSTER_NAME}
initial_master_nodes:
- es-master-0
node:
master: ${NODE_MASTER}
name: ${NODE_NAME}
data: ${NODE_DATA}
ingest: ${NODE_INGEST}
max_local_storage_nodes: ${MAX_LOCAL_STORAGE_NODES}
network:
host: ${NETWORK_HOST}
path:
data: /data/data
logs: /data/log
bootstrap:
memory_lock: ${MEMORY_LOCK}
http:
compression: true
cors:
enabled: ${HTTP_CORS_ENABLE}
allow-origin: ${HTTP_CORS_ALLOW_ORIGIN}
discovery:
seed_hosts: ${DISCOVERY_SERVICE}
xpack:
license.self_generated.type: trial
security:
enabled: true
transport:
ssl:
enabled: true
verification_mode: none
keystore.path: /usr/share/elasticsearch/config/certs/elk-cert.p12
truststore.path: /usr/share/elasticsearch/config/certs/elk-cert.p12
http:
ssl:
enabled: true
verification_mode: none
keystore.path: /usr/share/elasticsearch/config/certs/elk-cert.p12
truststore.path: /usr/share/elasticsearch/config/certs/elk-cert.p12
authc:
token:
enabled: true
realms:
file:
file1:
order: 0
saml:
saml1:
order: 2
idp.metadata.path: "<AAD_federation_XML_URL>"
idp.entity_id: "<EntityID_URL_from_metadata_xml_above>"
sp.entity_id: "https://test-kibana.lcbo.com/"
sp.acs: "https://test-kibana.lcbo.com/api/security/v1/saml"
sp.logout: "https://test-kibana.lcbo.com/logout"
attributes.principal: "urn:oid:0.9.2342.19200300.100.1.1"
attributes.groups: "urn:oid:1.3.6.1.4.1.5923.1.5.1."
monitoring:
enabled: true
## Threadpool Settings ##
thread_pool:
# Write
write:
queue_size: 3000
search:
size: 30
queue_size: 500
min_queue_size: 10
max_queue_size: 1000
auto_queue_frame_size: 2000
target_response_time: 1s
Here is my kibana config:
server:
name: kibana
host: "0.0.0.0"
xsrf.whitelist: [/api/security/v1/saml]
elasticsearch:
ssl:
certificateAuthorities: /usr/share/kibana/config/certs/elk-cert.p12
verificationMode: none
username: kibana
password: <hidden>
hosts: ["https://elasticsearch:9200"]
xpack:
security:
authProviders: [saml, basic]
public:
protocol: https
hostname: test-kibana.lcbo.com
port: 443
encryptionKey: "<hidden>"
monitoring:
enabled: true
ui.container.elasticsearch.enabled: true
elasticsearch:
ssl:
certificateAuthorities: /usr/share/kibana/config/certs/elk-cert.p12
verificationMode: none
Any ideas where this is failing? I am able to login to the kibana instance using the /login page (basic auth), however I have not been able to get past the above error.
I've followed this troubleshooting topic and it did not prove to be helpful: https://www.elastic.co/guide/en/elastic-stack-overview/7.0/trb-security-saml.html
Thanks!