Hi,
First, as you figured out, you need to set server.xsrf.whitelist: [/api/security/v1/saml] and not server.xsrf.whitelist: [/elk/api/security/v1/saml]
Your Oracle IDP responds with
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester">
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>
The urn:oasis:names:tc:SAML:2.0:status:Requester signifies that it believes that the problem is the Requester's fault ( The elastic stack is the requester in this context ) and the urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy means that the problem is that it cannot satisfy the request's requirements for the NameID Policy.
Elasticsearch's SAML realm defaults to requesting a transient (urn:oasis:names:tc:SAML:2.0:nameid-format:transient) NameID format but can also be configured explicitly with the nameid_format option as described in our documentation . What you need to do is :
- Figure out what kind of NameID format you want to use. See 8.3 and especially 8.3.7 and 8.3.8 in the SAML Core specification
- Figure out which formats your SAML IDP supports
- Pick one of those and configure both your SAML IDP and your SAML Realm in Elasticsearch accordingly.