hogbinj
November 29, 2018, 6:03pm
1
I've tried to implement the advice here on securing a Cloud Cluster with SAML
I added the following to the elasticsearch.yml being careful to use spaces rather than the tabs you get if you copy the example because YAML
There are spaces but the editor removes them in blockquotes
xpack.security:https://app.onelogin.com/saml/metadata/[UUID] "https://ip-sentinel.onelogin.com/trust/saml2/http-post/sso/865524 "
That didn't deploy with error > xpack is not allowed.
I also noticed the editor turns 4 x spaces into tabs so maybe that was the error anyway
I contacted support and they suggested I expand the YAML keys and it would work so I did
xpack.security.authc.realms.cloud-saml.type: samlhttps://app.onelogin.com/saml/metadata/[UUID] "https://ip-sentinel.onelogin.com/trust/saml2/http-post/sso/865524 "
That didn't work either.
Elastic support are now saying this is NOT support but consulting!!!!
Has anybody got this to work at all? Am I doing something obviously dim?
thiago
November 30, 2018, 12:45pm
2
The idp.entity_id in your realm config needs to match the entityID in the metadata file.
For more information, refer to Item 2 in Common SAML issues | Elasticsearch Guide [6.5] | Elastic
Cannot find metadata for entity [your:entity.id] in [metadata.xml]
Best
dweidenfeld
December 3, 2018, 9:42am
3
I am having the same issue right now.
cheers
ikakavas
December 3, 2018, 10:06am
4
Hello Dominic,
Please open your own topic and share as much information as possible with details on what you have done, what is your current configuration and what is the error message that you are seeing. There is no bug we are aware of that needs to be resolved, this is apparently a configuration error.
hogbinj
December 3, 2018, 10:13am
5
So...
A couple of things.
use the full path for the item you are configuring e.g.
<xpack.security.authc.realms.cloud-saml.type: samlhttps://app.onelogin.com/saml/metadata/[uuid] "https://app.onelogin.com/saml/metadata/[uuid] "4.europe-west1.gcp.cloud.es.io:9243/logout "
The xpack.security.authc.realms.cloud-saml.idp.entity.id needs to have the same value found in the html headers of the xpack.security.authc.realms.cloud-saml.idp.metadata.path: key
Browse to the metadata.path url and then view source. You should get something like...
<?xml version="1.0"?>https://app.onelogin.com/saml/metadata/[UUID] XML-Signature Syntax and Processing " protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">XML-Signature Syntax and Processing ">
In my case both the entity_id and the metadata_path are the same.
hogbinj
December 3, 2018, 10:31am
6
Also the key:
xpack.security.authc.realms.cloud-saml.attributes.principal: "nameid:persistent"
means you need to use a NameID (persistent) app
ikakavas
December 3, 2018, 1:57pm
7
A few comments in case this is helpful to others:
hogbinj:
The xpack.security.authc.realms.cloud-saml.idp.entity.id needs to have the same value found in the html headers of the xpack.security.authc.realms.cloud-saml.idp.metadata.path: key
The xpack.security.authc.realms.cloud-saml.idp.entity_id configuration parameter needs to be the same as the Entity ID of the SAML IdP you are using. One way to figure this out is to look at the metadata, as @hogbinj suggests or look at the configuration pages of your IdP . Most have this shown in a prominent place in their UI or config.
This is actually the other way around. If your Identity Provider sets the SAML2 Name ID with a persistent format, or if you configure it to do so ( as @hogbinj is showing in his previous post ) then you need to configure Elasticsearch to read the value as such by setting:
xpack.security.authc.realms.cloud-saml.attributes.principal: "nameid:persistent"
For detailed information on what this parameter is and what are other potential values, you can go through our documentation
system
December 31, 2018, 1:57pm
8
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
