SAML Issue in ELK 7.6.4

Gauti · September 25, 2020, 2:35am

Hi All,

I was trying to integrate Okta with elasticsearch, getting below error while logging into console,

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}

below is my Okta integration part from elasticsearch.yml

xpack.security.authc.realms.saml.prod-saml:
   order: 2
   idp.metadata.path: "/etc/elasticsearch/ELK_ProdV1.xml"
   idp.entity_id: "http://www.okta.com/jurjyh1asdwreZJ2PSmblgj0"
   sp.entity_id: "https://itdashboard.iff.com:5601"
   sp.acs: "https://itdashboard.iff.com:5601/api/security/v1/saml"
   sp.logout: "https://itdashboard.iff.com:5601/logout"
   attributes.principal: "nameid"
   attributes.groups: "groups"

In elasticsearch logs below is the only error i am getting,

[2020-09-25T02:24:56,159][INFO ][o.o.c.c.InitializationService] [1.3.5.3] Initializing OpenSAML using the Java Services API
[2020-09-25T02:24:56,858][INFO ][o.o.x.a.AlgorithmRegistry] [1.3.5.3] Algorithm failed runtime support check, will not be usable: http://www.w3.org/2001/04/xmlenc#ripemd160

Any idea where i'm doing the mistake.

THanks
Gautham

ikakavas · September 25, 2020, 7:01am

This is an INFO level message, so it doesn't indicate an error or a misconfiguration. You should look further down in your log, the appropriate error message will be printed out.

Gauti · September 25, 2020, 7:17am

@ikakavas I tried drilling down further and tried a change like giving IP address instead of DNS entry and it worked , so this means there is a problem with DNS entry??

In my dev box i was using "http"(and was using dns name) and didnt had any problem, but in production box i was using https , this dns issue might be due to some certificate problem or so

Thanks
Gautham

ikakavas · September 25, 2020, 9:07am

Apologies but I don't follow you. What did you drill down ? Where did you "give your IP address" ? Where were you using http instead of https ? This might be obvious to you since you are performing the actions but the rest if us lack any context as to what these sentences might mean.

Gauti · September 27, 2020, 12:02pm

@ikakavas Sorry forgot to mention in detail.

I have changed the details in elasticsearch.yml , okta configuration

sp.entity_id: "https://1.1.3.4:5601"
sp.acs: "https://1.1.3.4:5601/api/security/v1/saml"
sp.logout: "https://itdashboard.iff.com:5601/logout"

If i change the above mentioned sp.entity_id as DNS name, kibana is not working. with IP address its sucessful

Thanks
Gautham

ikakavas · October 1, 2020, 3:35pm

sp.entity_id needs to match what you have configured in Okta. Same for the sp.acs .

sp.entity_id can be whatever your wish it to be, it's just a string in SAML. The sp.acs affects other stuff too so if you want to access your kibana by IP , use an IP, if you want to access it via the DNS name, set the DNS name. Just do the same exactly configuration both in Okta and in the elastic stack.