SAML error with ELK Stack

vapetri · February 27, 2019, 4:45pm

Hi,
So in the role i have set:

GET /_xpack/security/role/Role.MS
{
  "Role.MS" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "index1-*",
          "index2-*",
          "index3-*"
        ],
        "privileges" : [
          "all"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ]
        },
        "query" : """{"term": {"providedAttributes.user.countryCode": "{{_user.metadata.saml(c)}}"}}"""
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "space_read"
        ],
        "resources" : [
          "space:engineer"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

If i enter with the user the query is not returning anything.Meaning my dashboards are empty.It means no data from index matches the filtering query.
I tried and replace the query term with match and still the same error.

vapetri · February 27, 2019, 5:22pm

So,
if i set query:

{"match": {"providedAttributes.user.countryCode": "{{_user.metadata.saml(c)}}"}}

Is not showing anything in the dashboard.
if i set query:

{"match": {"providedAttributes.user.countryCode": "AT"}}

The index filtered information is shown in the dashboard.
I have tried also with term instead of match in both cases and no data is shown in dashboard.

TimV · February 27, 2019, 11:45pm

Login to Kibana using SAML.
Call the Elasticsearch Authenticate API from within the Kibana dev tools console.
That will show you what metadata is included in the user object so you can confirm whether _user.metadata.saml(c) is indeed being populated.

vapetri · February 28, 2019, 8:14am

Hi,
this is the data which i received on Authenticate API:

{
  "username" : "at.user",
  "roles" : [
    "Role.AT"
  ],
  "full_name" : "at.user",
  "email" : null,
  "metadata" : {
    "saml(role)" : [
      "Role.AT"
    ],
    "saml_nameid" : "at.user",
    "saml(partnername)" : [
      "Partner.AT"
    ],
    "saml_nameid_format" : "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
    "saml(c)" : [
      "AT"
    ]
  },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "saml1",
    "type" : "saml"
  },
  "lookup_realm" : {
    "name" : "saml1",
    "type" : "saml"
  }
}

So i will try now to match it in the Role query via the match.
Thanks,
Victor

vapetri · February 28, 2019, 8:24am

This is the role definition:

{
  "Role.AT" : {
    "cluster" : [ ],
    "indices" : [
      {
        "names" : [
          "index1-*",
          "index2-*",
          "index3-*"
        ],
        "privileges" : [
          "all"
        ],
        "field_security" : {
          "grant" : [
            "*"
          ]
        },
        "query" : """{"match": {"providedAttributes.user.countryCode": "{{_user.metadata.saml(c}}"}}"""
      }
    ],
    "applications" : [
      {
        "application" : "kibana-.kibana",
        "privileges" : [
          "space_read"
        ],
        "resources" : [
          "space:engineer"
        ]
      }
    ],
    "run_as" : [ ],
    "metadata" : { },
    "transient_metadata" : {
      "enabled" : true
    }
  }
}

vapetri · February 28, 2019, 8:56am

Hi,
finally managed to solved that:
the good query is:

{"template":{"source":{"match":{"providedAttributes.user.countryCode":"{{_user.metadata.saml(c)}}"}}}}

so for me, match was working better than term looks like.
Thank you very much guys for help and guidance!
Victor

vapetri · March 7, 2019, 5:31pm

Hi Guys,
One more thing arise with SAML.
Can we have 2 IdP(identity providers) connected to one ELK for SAML access?
The 2 SAML secure the same ELK for different accesses from different networks.
What can i force from URL which SAML realm to be use?
Is there a document about it? based on the order?
SAML1: kibana.dom1.com/elk/api/kibana/order=0? which redirect to idp 1?
SAML2: kibana.dom2.com/elk/api/kibana/order=1? which redirects to idp 2?
In the same time i use also LDAP and native.

Thank you in advance,
Victor

TimV · March 7, 2019, 11:23pm

To do this you need to have 2 separate Kibana instances.
https://www.elastic.co/guide/en/elastic-stack-overview/6.6/saml-kibana.html#_operating_multiple_kibana_instances

vapetri · March 8, 2019, 7:45am

Hi Tim,
Thank you for your answer,
So the same collected data can be seen in all the instances.

Great news,
Thank you,
Victor

vapetri · April 3, 2019, 12:35pm

Hi guys,
on the 2 Kibana Instances, the Spaces, and the other objects are the same?
Meaning, on the second instance i dont have other spaces or information?

I manage to add a second instance, and here i see the same spaces as in first instances.
Thank you,
Victor

ikakavas · April 3, 2019, 1:45pm

Please open a new post for that question, this is largely unrelated to the other things we discussed here so far

system · May 1, 2019, 1:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.