i am trying to configure Kibana authentication via SAML with oracle IAM stack as an Identity provider.
In elasticsearch log we have:
org.elasticsearch.ElasticsearchSecurityException: Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://rp.lab.priv:443/api/security/v1/saml}]
at org.elasticsearch.xpack.security.authc.saml.SamlUtils.samlException(SamlUtils.java:105) ~[?:?]
at org.elasticsearch.xpack.security.action.saml.TransportSamlPrepareAuthenticationAction.doExecute(TransportSamlPrepareAuthenticationAction.java:52) ~[?:?]
at org.elasticsearch.xpack.security.action.saml.TransportSamlPrepareAuthenticationAction.doExecute(TransportSamlPrepareAuthenticationAction.java:33) ~[?:?]
at org.elasticsearch.action.support.TransportAction.doExecute(TransportAction.java:143) ~[elasticsearch-6.5.1.jar:6.5.1]
The kibana yml file have these lines:
xpack.security.authProviders: [saml, basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.public:
protocol: https
hostname: rp.lab.priv
port: 443
I have look in troubleshooting but the sp.acs and kibana public host is the same.
Anyone have a better idea?
Thank you in advance,
Victor
These are matched as raw strings - we don't infer identity by parsing port numbers, etc.
So you need the sp.acs setting in Elasticsearch and the ACS URL in Kibana to be byte-for-byte identical.
Thanks, indeed the 443 added to sp.acs, made me pass this error:
Now i have new one:
[2019-01-18T10:36:48,207][WARN ][o.e.x.s.a.AuthenticationService] [dev-client-01] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[SAML Response is not a 'success' response: Code=urn:oasis:names:tc:SAML:2.0:status:Requester Message=null Detail=null])
This is covered in the troubleshooting guide - I recommend that you have a read of it.
The short answer is that your IdP didn't like authentication request from Elasticsearch, but is refusing to tell us why. The only thing you can reasonably do is check the IdP logs.
Hi,
this i solved also.
But now another question.
If behind RP i publish also the kibana saml url under a general context like /elk/
I have to modify also the
server.xsrf.whitelist: [/api/security/v1/saml]
to
server.xsrf.whitelist: [/elk/api/security/v1/saml] ?
In fact in my saml request towards IDP the assestionconsumerserviceURL="rp.lab.priv:443/api/security/v1/saml" and i need it "rp.lab.priv:443/elk/api/security/v1/saml"
Thank you,
Victor
For clarification: Why do you want the ACS url to be "rp.lab.priv:443/elk/api/security/v1/saml" ? If this is because your IdP is configured this way, wouldn't it be preferable to change the IdP configuration instead?
Hi,
The root cause is that behind the RP is also the IdP and ELK.
if i am using directly RP URL/app/kibana and RP URL/api/security/ is OK. but i cannot use RP URL/ as for example after SAML login there is a redirect to RP URL/ to select the space to enter in.
So the question is what if behind same RP i have already use the /api context by other application. what i can do then?
Of course the question is if i can use a generic context root like /elk for api, app and spaces URis of Kibana?
We configured the kibana context root to /elk and now on IdP we have the next error:
<Jan 22, 2019 3:26:52 PM CET> <Error> <oracle.security.fed.controller.web.servlet.FederationServlet> <FEDSTS-12064> <Exception: {0}
oracle.security.fed.event.EventException: java.lang.ClassCastException: java.util.HashSet cannot be cast to java.lang.String
Hi Guys,
i've found the error, which was from SAML version differences between OAM and ELK.
Now i receive:
{"statusCode":400,"error":"Bad Request","message":"Request must contain a kbn-xsrf header."}
In Kibana.yml i have the next values:
server.basePath: "/elk"
server.rewriteBasePath: true
server.xsrf.whitelist: [/elk/api/security/v1/saml]
to inlcude also the new context root.
if i change the value to:
server.basePath: "/elk"
server.rewriteBasePath: true
server.xsrf.whitelist: [/api/security/v1/saml]
i have the elasticsearch error:
[2019-01-25T10:36:30,387][WARN ][o.e.x.s.a.AuthenticationService] [dev-client-01] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[SAML Response is not a 'success' response: Code=urn:oasis:names:tc:SAML:2.0:status:Requester Message=null Detail=null])
and i am redirected to ELK login page.
Also i see in the saml response of Kibana:
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>
The urn:oasis:names:tc:SAML:2.0:status:Requester signifies that it believes that the problem is the Requester's fault ( The elastic stack is the requester in this context ) and the urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy means that the problem is that it cannot satisfy the request's requirements for the NameID Policy.
Elasticsearch's SAML realm defaults to requesting a transient (urn:oasis:names:tc:SAML:2.0:nameid-format:transient) NameID format but can also be configured explicitly with the nameid_format option as described in our documentation . What you need to do is :
Hi,
Thanks for the documentation and information.
We use an SAML 1.1 Unspecified format type.
We've just open a ticket at Oracle to see maybe indeed is a bug on their side.
The use of urn:oasis:names:tc:SAML:1.1: nameid-format:unspecified is allowed in the SAML 2.0 Core Spec, see section 8.3.1 of the specification I posted above.
If this contains the value you want in order to identify the logged in user or if you can map the attribute.principal to a SAML attribute instead of the NameID, you can adjust the SAML realm configuration in Elasticsearch by setting nameid_format to urn:oasis:names:tc:SAML:1.1: nameid-format:unspecified in your elasticsearch.yml
Hi,
we manage to make it work with namid in attribute principal.
But now i cannot force the users to be dashboard only and to use only one space for dashboard users only.
If there a role mapping to force users to go to specific space in Kibana?
Can i create another dashboard user role which i can add/inherit to be force via SAML?
this is the role mapping i try to use:
PUT /_xpack/security/role_mapping/Role.AT
{
"roles": [ "Role.AT"],
"enabled": true,
"rules": { "all": [
{ "field": { "realm.name": "saml1" } },
{ "field": { "groups": "Role.AT" } },
{ "field": { "role": "Role.AT" } }
] }
}
Is it enough to use only the groups field to map the SAML Group to ELK role?
If i enter with a local user with the same role, the user is using only one space.
If i come via SAML i am redirect to space default.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.