hogbinj
(James Hogbin)
November 29, 2018, 6:03pm
1
I've tried to implement the advice here on securing a Cloud Cluster with SAML
I added the following to the elasticsearch.yml being careful to use spaces rather than the tabs you get if you copy the example because YAML
There are spaces but the editor removes them in blockquotes
xpack.security:
authc:
realms:
cloud-saml:
type: saml
order: 2
attributes.principal: "nameid:persistent"
attributes.groups: "groups"
idp.metadata.path: "https://app.onelogin.com/saml/metadata/[UUID] "
idp.entity_id: "https://ip-sentinel.onelogin.com/trust/saml2/http-post/sso/865524 "
sp.entity_id: "https:/[UUID].europe-west1.gcp.cloud.es.io:9243/"
sp.acs: "https://[UUID].europe-west1.gcp.cloud.es.io:9243/api/security/v1/saml"
sp.logout: "https://[UUID].europe-west1.gcp.cloud.es.io:9243/logout"
That didn't deploy with error > xpack is not allowed.
I also noticed the editor turns 4 x spaces into tabs so maybe that was the error anyway
I contacted support and they suggested I expand the YAML keys and it would work so I did
xpack.security.authc.realms.cloud-saml.type: saml
xpack.security.authc.realms.cloud-saml.order: 2
xpack.security.authc.realms.cloud-saml.attributes.principal: "nameid:persistent"
xpack.security.authc.realms.cloud-saml.attributes.groups: "groups"
xpack.security.authc.realms.cloud-saml.idp.metadata.path: "https://app.onelogin.com/saml/metadata/[UUID] "
xpack.security.authc.realms.cloud-saml.idp.entity_id: "https://ip-sentinel.onelogin.com/trust/saml2/http-post/sso/865524 "
xpack.security.authc.realms.cloud-saml.sp.entity_id: "https://[UUID].europe-west1.gcp.cloud.es.io:9243/"
xpack.security.authc.realms.cloud-saml.sp.acs: "https://[UUID].europe-west1.gcp.cloud.es.io:9243/api/security/v1/saml"
xpack.security.authc.realms.cloud-saml.sp.logout: "https://[UUID].europe-west1.gcp.cloud.es.io:9243/logout"
That didn't work either.
Elastic support are now saying this is NOT support but consulting!!!!
Has anybody got this to work at all? Am I doing something obviously dim?
thiago
(Thiago Souza)
November 30, 2018, 12:45pm
2
The idp.entity_id
in your realm config needs to match the entityID
in the metadata file.
For more information, refer to Item 2
in Common SAML issues | Elasticsearch Guide [6.5] | Elastic
Cannot find metadata for entity [your:entity.id] in [metadata.xml]
Best
dweidenfeld
(Dominik Weidenfeld)
December 3, 2018, 9:42am
3
I am having the same issue right now.
Is there already a solution for this, or do I have to contact the support as well?
cheers
ikakavas
(Ioannis Kakavas)
December 3, 2018, 10:06am
4
Hello Dominic,
Please open your own topic and share as much information as possible with details on what you have done, what is your current configuration and what is the error message that you are seeing. There is no bug we are aware of that needs to be resolved, this is apparently a configuration error.
hogbinj
(James Hogbin)
December 3, 2018, 10:13am
5
So...
A couple of things.
use the full path for the item you are configuring e.g.
<xpack.security.authc.realms.cloud-saml.type: saml
<xpack.security.authc.realms.cloud-saml.order: 2
<xpack.security.authc.realms.cloud-saml.attributes.principal: "nameid:persistent"
<xpack.security.authc.realms.cloud-saml.attributes.groups: "groups"
<xpack.security.authc.realms.cloud-saml.idp.metadata.path: "https://app.onelogin.com/saml/metadata/[uuid] "
<xpack.security.authc.realms.cloud-saml.idp.entity_id: "https://app.onelogin.com/saml/metadata/[uuid] "
<xpack.security.authc.realms.cloud-saml.sp.entity_id: "https://[uuid].europe-west1.gcp.cloud.es.io:9243/"
<xpack.security.authc.realms.cloud-saml.sp.acs: "https://[uuid].europe-west1.gcp.cloud.es.io:9243/api/security/v1/saml"
<xpack.security.authc.realms.cloud-saml.sp.logout: "https://[uuid]4.europe-west1.gcp.cloud.es.io:9243/logout "
The xpack.security.authc.realms.cloud-saml.idp.entity.id needs to have the same value found in the html headers of the xpack.security.authc.realms.cloud-saml.idp.metadata.path: key
Browse to the metadata.path url and then view source. You should get something like...
<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.onelogin.com/saml/metadata/[UUID] ">
<IDPSSODescriptor xmlns:ds="XML-Signature Syntax and Processing " protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="XML-Signature Syntax and Processing ">
<ds:X509Data> ... ...
In my case both the entity_id and the metadata_path are the same.
hogbinj
(James Hogbin)
December 3, 2018, 10:31am
6
Also the key:
xpack.security.authc.realms.cloud-saml.attributes.principal: "nameid:persistent"
means you need to use a NameID (persistent) app
ikakavas
(Ioannis Kakavas)
December 3, 2018, 1:57pm
7
A few comments in case this is helpful to others:
hogbinj:
The xpack.security.authc.realms.cloud-saml.idp.entity.id needs to have the same value found in the html headers of the xpack.security.authc.realms.cloud-saml.idp.metadata.path: key
The xpack.security.authc.realms.cloud-saml.idp.entity_id
configuration parameter needs to be the same as the Entity ID of the SAML IdP you are using. One way to figure this out is to look at the metadata, as @hogbinj suggests or look at the configuration pages of your IdP . Most have this shown in a prominent place in their UI or config.
This is actually the other way around. If your Identity Provider sets the SAML2 Name ID with a persistent format, or if you configure it to do so ( as @hogbinj is showing in his previous post ) then you need to configure Elasticsearch to read the value as such by setting:
xpack.security.authc.realms.cloud-saml.attributes.principal: "nameid:persistent"
For detailed information on what this parameter is and what are other potential values, you can go through our documentation
system
(system)
Closed
December 31, 2018, 1:57pm
8
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.