SAML OKTA on KIBANA not working

Hello ,
Please assist and thank you in advance for the help. Below are my configuration for everything . What am i doing wrong?
Elasticsearch Config

cluster.name: elasticsearch
node.name: node-1
bootstrap.memory_lock: false

network.host: elkmachine.corp.mynetwork.com	

http.port: 9200

discovery.seed_hosts: ["elkmachine.corp.mynetwork.com"]
cluster.initial_master_nodes: ["node-1"]
xpack.security.audit.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: elastic-certificates.p12
xpack.security.http.ssl.truststore.path: elastic-certificates.p12
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.native.native1:
    order: 0
xpack.security.authc.realms.saml.saml1:
    order: 1
    idp.metadata.path: "https://myokta.okta.com/app/exk1i59mmwdsjov5y20h8/sso/saml/metadata/"
    idp.entity_id: "http://www.okta.com/exk1i59mmwdsjov5y20h8"
    sp.entity_id:  "https://elkmachine.corp.mynetwork.com/"
    sp.acs: "https://elkmachine.corp.mynetwork.com/api/security/v1/saml"
    idp.use_single_logout: true
    sp.logout: "https://elkmachine.corp.mynetwork.com/logout"
    attributes.principal: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
    signing.certificate: saml-sign.crt
    signing.key: saml-sign.key

KIBANA

server.name: "Kibana"
elasticsearch.hosts: ["https://elkmachine.corp.mynetwork.com:9200"]
kibana.index: ".kibana"

kibana.defaultAppId: "home"

elasticsearch.username: "elastic"
elasticsearch.password: "elastic"

server.ssl.enabled: true
server.ssl.certificate: "D:\\elk-certs\\elkmachinecorpmynetworkcom.crt"
server.ssl.key: "D:\\elk-certs\\elkmachinecorpmynetworkcom.key"
elasticsearch.ssl.verificationMode: none

xpack.security.encryptionKey: "i_am_enabling_this_for_security_and_more"
xpack.security.sessionTimeout: 600000
xpack.security.authc.providers: [basic, saml]
xpack.security.authc.saml.realm: saml1
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.public.hostname: "elkmachine.corp.mynetwork.com"

OKTA

Single Sign On URL:	 https://elkmachine.corp.mynetwork.com/api/security/v1/saml

Recipient URL:	 https://elkmachine.corp.mynetwork.com/api/security/v1/saml

Destination URL:	 https://elkmachine.corp.mynetwork.com/api/security/v1/saml

Audience Restriction:	 https://elkmachine.corp.mynetwork.com/

Name ID Format:	 EmailAddress

Response:	 Signed

Assertion Signature:	 Signed

Signature Algorithm:	 RSA_SHA256
Digest Algorithm:	 SHA256
Assertion Encryption: Unencrypted

Name 				Name Format 			Value
user.login 			Unspecified 			user.email

SAML Single Logout:	 Enabled
Signature Certificate saml-sign.crt (CN=saml-sign)

Honor Force Authentication:	 Yes

And i keep getting this error when i try to login

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}

Have you read https://www.elastic.co/guide/en/elasticsearch/reference/current/trb-security-saml.html ,point 4 ? The cause of error should already be printed in your logs .

@ikakavas
This is very useful and this is the first time i am seeing the documentation on SAML common errors. But i checked the logs and there is no errors relating to SAML or to the reason why it is failing to login.

Can you share a sample few lines from your elasticsearch log at around the time you get the message above in your browser?

@ikakavas i played with it again this morning. Until i finally figure it out. Thanks a lot for the help and patience.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.