SAML in Elastic Cloud - Support cant fix and are saying its Consulting now!

security

(James Hogbin) #1

I've tried to implement the advice here on securing a Cloud Cluster with SAML

I added the following to the elasticsearch.yml being careful to use spaces rather than the tabs you get if you copy the example because YAML

There are spaces but the editor removes them in blockquotes

xpack.security:
authc:
realms:
cloud-saml:
type: saml
order: 2
attributes.principal: "nameid:persistent"
attributes.groups: "groups"
idp.metadata.path: "https://app.onelogin.com/saml/metadata/[UUID]"
idp.entity_id: "https://ip-sentinel.onelogin.com/trust/saml2/http-post/sso/865524"
sp.entity_id: "https:/[UUID].europe-west1.gcp.cloud.es.io:9243/"
sp.acs: "https://[UUID].europe-west1.gcp.cloud.es.io:9243/api/security/v1/saml"
sp.logout: "https://[UUID].europe-west1.gcp.cloud.es.io:9243/logout"

That didn't deploy with error > xpack is not allowed.

I also noticed the editor turns 4 x spaces into tabs so maybe that was the error anyway

I contacted support and they suggested I expand the YAML keys and it would work so I did

xpack.security.authc.realms.cloud-saml.type: saml
xpack.security.authc.realms.cloud-saml.order: 2
xpack.security.authc.realms.cloud-saml.attributes.principal: "nameid:persistent"
xpack.security.authc.realms.cloud-saml.attributes.groups: "groups"
xpack.security.authc.realms.cloud-saml.idp.metadata.path: "https://app.onelogin.com/saml/metadata/[UUID]"
xpack.security.authc.realms.cloud-saml.idp.entity_id: "https://ip-sentinel.onelogin.com/trust/saml2/http-post/sso/865524"
xpack.security.authc.realms.cloud-saml.sp.entity_id: "https://[UUID].europe-west1.gcp.cloud.es.io:9243/"
xpack.security.authc.realms.cloud-saml.sp.acs: "https://[UUID].europe-west1.gcp.cloud.es.io:9243/api/security/v1/saml"
xpack.security.authc.realms.cloud-saml.sp.logout: "https://[UUID].europe-west1.gcp.cloud.es.io:9243/logout"

That didn't work either.

Elastic support are now saying this is NOT support but consulting!!!!

Has anybody got this to work at all? Am I doing something obviously dim?


(Thiago Souza) #2

The idp.entity_id in your realm config needs to match the entityID in the metadata file.

For more information, refer to Item 2 in https://www.elastic.co/guide/en/elastic-stack-overview/6.5/trb-security-saml.html

Cannot find metadata for entity [your:entity.id] in [metadata.xml]

Best


(Dominik Weidenfeld) #3

I am having the same issue right now.
Is there already a solution for this, or do I have to contact the support as well?

cheers


(Ioannis Kakavas) #4

Hello Dominic,

Please open your own topic and share as much information as possible with details on what you have done, what is your current configuration and what is the error message that you are seeing. There is no bug we are aware of that needs to be resolved, this is apparently a configuration error.


(James Hogbin) #5

So...

A couple of things.

  1. use the full path for the item you are configuring e.g.

<xpack.security.authc.realms.cloud-saml.type: saml
<xpack.security.authc.realms.cloud-saml.order: 2
<xpack.security.authc.realms.cloud-saml.attributes.principal: "nameid:persistent"
<xpack.security.authc.realms.cloud-saml.attributes.groups: "groups"
<xpack.security.authc.realms.cloud-saml.idp.metadata.path: "https://app.onelogin.com/saml/metadata/[uuid]"
<xpack.security.authc.realms.cloud-saml.idp.entity_id: "https://app.onelogin.com/saml/metadata/[uuid]"
<xpack.security.authc.realms.cloud-saml.sp.entity_id: "https://[uuid].europe-west1.gcp.cloud.es.io:9243/"
<xpack.security.authc.realms.cloud-saml.sp.acs: "https://[uuid].europe-west1.gcp.cloud.es.io:9243/api/security/v1/saml"
<xpack.security.authc.realms.cloud-saml.sp.logout: "https://[uuid]4.europe-west1.gcp.cloud.es.io:9243/logout"

  1. The xpack.security.authc.realms.cloud-saml.idp.entity.id needs to have the same value found in the html headers of the xpack.security.authc.realms.cloud-saml.idp.metadata.path: key

Browse to the metadata.path url and then view source. You should get something like...

<?xml version="1.0"?>
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://app.onelogin.com/saml/metadata/[UUID]">
<IDPSSODescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data> ... ...

In my case both the entity_id and the metadata_path are the same.


(James Hogbin) #6

Also the key:

xpack.security.authc.realms.cloud-saml.attributes.principal: "nameid:persistent"

means you need to use a NameID (persistent) app


(Ioannis Kakavas) #7

A few comments in case this is helpful to others:

The xpack.security.authc.realms.cloud-saml.idp.entity_id configuration parameter needs to be the same as the Entity ID of the SAML IdP you are using. One way to figure this out is to look at the metadata, as @hogbinj suggests or look at the configuration pages of your IdP . Most have this shown in a prominent place in their UI or config.

This is actually the other way around. If your Identity Provider sets the SAML2 Name ID with a persistent format, or if you configure it to do so ( as @hogbinj is showing in his previous post ) then you need to configure Elasticsearch to read the value as such by setting:

xpack.security.authc.realms.cloud-saml.attributes.principal: "nameid:persistent"

For detailed information on what this parameter is and what are other potential values, you can go through our documentation