We have SAML auth configured for 3 of our ES clusters. When SSO'ing to Kibana, we sometimes get a 401 "access token expired" error. Retrying the SSO will give us a different 401, "SAML response state does not have corresponding request id."
Any further attempts to SSO will give us the same error. The only workaround we have found is to clear cookies for the found.io
domain. After clearing cookies, SSO works normally.
This happens every couple days for each of our clusters. Is there a problem with our configuration that is causing this? How do we resolve it?
In case it is useful, here is the full text of the first error message:
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] token expired, with { header={ WWW-Authenticate=\"Bearer realm=\\\"security\\\", error=\\\"invalid_token\\\", error_description=\\\"The access token expired\\\"\" } }"}
And the second error message:
{"statusCode":401,"error":"Unauthorized","message":"SAML response state does not have corresponding request id."}
The relevant ES configuration:
xpack.security.authc.realms.saml.saml1:
order: 2
idp.metadata.path: "https://portal.sso.us-east-2.amazonaws.com/saml/metadata/[REDACTED]"
idp.entity_id: "https://portal.sso.us-east-2.amazonaws.com/saml/assertion/[REDACTED]"
sp.entity_id: "https://[REDACTED].us-east-1.aws.found.io/"
sp.acs: "https://[REDACTED].us-east-1.aws.found.io/api/security/v1/saml"
sp.logout: "https://[REDACTED].us-east-1.aws.found.io/logout"
attributes.principal: "nameid"
And the relevant Kibana configuration:
xpack.security.authc.providers: [saml, basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.authc.saml.realm: saml1