SAML configuration - Azure Active Directory

Elastic Stack Elasticsearch
2

I see a couple of potential issues:

I believe these also must include the port (even though you're using the default HTTPS port of 443).

These values do not look like ones that are typically found within the claims that Azure Active Directory supports. If you request the App Federation Metadata URL to retrieve the XML that lists the supported claims, amongst other metadata, it'll look something like

<?xml version="1.0" encoding="ISO-8859-1"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://sts.windows.net/{id}/" ID="{id}">
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
        <!-- snip for brevity -->
    </Signature>
    <RoleDescriptor xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" 
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706" xsi:type="fed:SecurityTokenServiceType">
        <KeyDescriptor use="signing">
            <!-- snip for brevity -->
        </KeyDescriptor>
        <fed:ClaimTypesOffered>
            <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
                <auth:DisplayName>Name</auth:DisplayName>
                <auth:Description>The mutable display name of the user.</auth:Description>
            </auth:ClaimType>
            <auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier">
                <auth:DisplayName>Subject</auth:DisplayName>
                <auth:Description>An immutable, globally unique, non-reusable identifier of the user that is unique to the application for which a token is issued.</auth:Description>
            </auth:ClaimType>
            <!-- etc... -->
        </fed:ClaimTypesOffered>
    </RoleDescriptor>
</EntityDescriptor>

Under <fed:ClaimTypesOffered> are the claims supported by Azure Active Directory, where the Uri value is the one to use in elasticsearch.yml for configuring the SAML realm.

For example, Elastic's Azure Marketplace template uses http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name for attributes.principal, which is the Name claim above.

1 Like