SAML response state does not have corresponding request id

Jesse_Bye · May 19, 2020, 4:11pm

We have SAML auth configured for 3 of our ES clusters. When SSO'ing to Kibana, we sometimes get a 401 "access token expired" error. Retrying the SSO will give us a different 401, "SAML response state does not have corresponding request id."

Any further attempts to SSO will give us the same error. The only workaround we have found is to clear cookies for the found.io domain. After clearing cookies, SSO works normally.

This happens every couple days for each of our clusters. Is there a problem with our configuration that is causing this? How do we resolve it?

In case it is useful, here is the full text of the first error message:
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] token expired, with { header={ WWW-Authenticate=\"Bearer realm=\\\"security\\\", error=\\\"invalid_token\\\", error_description=\\\"The access token expired\\\"\" } }"}

And the second error message:
{"statusCode":401,"error":"Unauthorized","message":"SAML response state does not have corresponding request id."}

The relevant ES configuration:
xpack.security.authc.realms.saml.saml1:
order: 2
idp.metadata.path: "https://portal.sso.us-east-2.amazonaws.com/saml/metadata/[REDACTED]"
idp.entity_id: "https://portal.sso.us-east-2.amazonaws.com/saml/assertion/[REDACTED]"
sp.entity_id: "https://[REDACTED].us-east-1.aws.found.io/"
sp.acs: "https://[REDACTED].us-east-1.aws.found.io/api/security/v1/saml"
sp.logout: "https://[REDACTED].us-east-1.aws.found.io/logout"
attributes.principal: "nameid"

And the relevant Kibana configuration:
xpack.security.authc.providers: [saml, basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.authc.saml.realm: saml1

ikakavas · May 20, 2020, 8:39am

What version are you on @Jesse_Bye? This

When SSO'ing to Kibana, we sometimes get a 401 "access token expired" error.

sounds like Properly handle SAML IdP initiated login with existing session containing expired access token · Issue #59629 · elastic/kibana · GitHub that we resolved recently and will be released in the next version. But refreshing the page should have resolved the issue when you come across it, not lead to the next error you're seeing.

If you can open a support ticket so that you can share your debug kibana logs and the elasticsearch trace logs for SAML , we will be able to give you a more qualified RCA.

Jesse_Bye · May 20, 2020, 3:26pm

Hmm, that does seem similar to our problem, except refreshing doesn't resolve it. We're on v7.7.0; should it be fixed on that version? Or only v7.7.1 and greater?

Also, I tried creating a support ticket for this before and they redirected me here

ikakavas · May 20, 2020, 4:03pm

Apologies for that @Jesse_Bye, I wasn't aware that you had already gone via support.

We just merged the fixes after 7.7.0 was releases so this fix should be available in the next minor or patch release that is released

system · June 17, 2020, 4:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Response session state does not have corresponding state or nonce parameters or redirect URL Elasticsearch elastic-stack-security	2	1420	December 24, 2019
Kibana SAML authentication error Kibana	6	1560	June 27, 2019
Auth to ECK using Azure AAD SAML failing Elasticsearch elastic-stack-security	9	994	September 15, 2020
Getting unauthorised saml user error Elasticsearch elastic-stack-security	9	3571	May 21, 2019
Elastic - SAML (Azure) integration issue Elasticsearch elastic-stack-security	2	613	April 14, 2020

SAML response state does not have corresponding request id

Related topics