SAML settings on elasticsearch and kibana

Muhammad_Umair_Baig · June 12, 2020, 9:37am

may be. you can better comment on this.
elastic search and kibana version 7.6.2
Saml setting in elasticsearch.yml

xpack.security.authc.realms.saml.saml1:
  order: 0
  signing.key: certs/instance.key
  signing.certificate: certs/instance_pub.pem
  encryption.certificate: certs/instance_pub.pem
  encryption.key: certs/instance.key
  idp.metadata.path: samlidp2_IBM_metadata_CIS_STAGE.xml
  idp.entity_id: "https://w3id.alpha.sso.ibm.com/auth/sps/samlidp2/saml20"
  sp.entity_id:  "https://localhost:5601/"
  sp.acs: "https://localhost:5601/api/security/v1/saml/"
  sp.logout: "https://localhost:5601/logout"
  attributes.principal: "urn:oid:0.9.2342.19200300.100.1.1"
  attributes.groups: "urn:oid:1.3.6.1.4.1.5923.1.5.1."

kibana.yml setting

xpack.security.authc.saml.realm: saml1
server.xsrf.whitelist: [/api/security/v1/saml]

I have enabled SAML tracer on browser and i am getting valid saml response after successful authentication.

Muhammad_Umair_Baig · June 15, 2020, 10:44am

Please update.
Looking forward to hear from you. I have posted SAML realm setting in my comment.

ikakavas · June 15, 2020, 11:10am

Please be patient in waiting for responses to your question and refrain from pinging multiple times asking for a response or opening multiple topics for the same question. This is a community forum, it may take time for someone to reply to your question. For more information please refer to the Community Code of Conduct specifically the section "Be patient". Also, please refrain from pinging folks directly, this is a forum and anyone that participates might be able to assist you.

If you are in need of a service with an SLA that covers response times for questions then you may want to consider talking to us about a subscription.

It's fine to answer on your own thread after 2 or 3 days (not including weekends) if you don't have an answer.

Muhammad_Umair_Baig · June 15, 2020, 11:16am

I do apologize if my comment offended you.

ikakavas · June 15, 2020, 11:54am

Did not!! Just trying to set expectations:) I will reply as soon as I get time to look into this

ikakavas · June 17, 2020, 1:26pm

Can you try without the trailing / for your sp.acs url ?

sp.acs: "https://localhost:5601/api/security/v1/saml"

instead of

sp.acs: "https://localhost:5601/api/security/v1/saml/"

Mind you, you need to regenerate the saml metadata because the ACS is part of the metadata and configure TFIM with the new metadata file.

If this doesn't fix the issue, we'd need more details to see what is amiss, I would ask you to capture a HAR ( see here for instructions for instance, depending on your browser ) and share it with us in order to see what is up.

Muhammad_Umair_Baig · June 17, 2020, 4:57pm

Awesome fix, Thank you for the response:

Now i am getting the mentioned below error:

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}

elasticsearch.yml

xpack.security.authc.realms.saml.saml1:
  order: 0
  signing.key: certs/instance.key
  signing.certificate: certs/instance_pub.pem
  encryption.certificate: certs/instance_pub.pem
  encryption.key: certs/instance.key
  idp.metadata.path: samlidp2_IBM_metadata_CIS_STAGE.xml
  idp.entity_id: "https://w3id.alpha.sso.ibm.com/auth/sps/samlidp2/saml20"
  sp.entity_id:  "https://localhost:5601/"
  sp.acs: "https://localhost:5601/api/security/v1/saml"
  sp.logout: "https://localhost:5601/logout"
  attributes.principal: "nameid"

SAML Response:

<?xml version="1.0" encoding="UTF-8"?><saml:Assertion ID="Assertion-uuidc32da8f8-0172-1f44-8765-8108d08b64c5" IssueInstant="2020-06-17T16:47:29Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">IDP_LOGIN_URL</saml:Issuer>
  <ds:Signature Id="uuidc32da8f9-0172-1057-af0a-8108d08b64c5" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
      <ds:Reference URI="#Assertion-uuidc32da8f8-0172-1f44-8765-8108d08b64c5">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
            <xc14n:InclusiveNamespaces xmlns:xc14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs saml xsi"/>
          </ds:Transform>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
        <ds:DigestValue>KtOumQcNrPGbgaXohAPD/H6fo/bPVBi/6JjyYN+oCds=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue></ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate></ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="IDP_LOGIN_URL" SPNameQualifier="https://localhost:5601/">uuidc32da7e3-0172-1f16-8f12-8108d08b64c5</saml:NameID>
    <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml:SubjectConfirmationData InResponseTo="_445cd5d505b5162a7c35ea479da3d990ff443817" NotOnOrAfter="2020-06-17T16:57:29Z" Recipient="https://localhost:5601/api/security/v1/saml"/>
    </saml:SubjectConfirmation>
  </saml:Subject>
  <saml:Conditions NotBefore="2020-06-17T16:46:29Z" NotOnOrAfter="2020-06-17T16:57:29Z">
    <saml:AudienceRestriction>
      <saml:Audience>https://localhost:5601/</saml:Audience>
    </saml:AudienceRestriction>
  </saml:Conditions>
  <saml:AuthnStatement AuthnInstant="2020-06-17T16:47:29Z" SessionIndex="uuidc32525ac-0172-18b3-9015-8108d08b64c5" SessionNotOnOrAfter="2020-06-18T05:47:28Z">
    <saml:AuthnContext>
      <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
    </saml:AuthnContext>
  </saml:AuthnStatement>
  <saml:AttributeStatement>
    <saml:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">FIRST_NAME</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">CODE</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">LAST_NAME</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">EMAIL_ADDRESS</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="cn" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">FULL_NAME</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="blueGroups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">XXX</saml:AttributeValue>
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">XXX</saml:AttributeValue>
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">XXX</saml:AttributeValue>
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">XXX</saml:AttributeValue>
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">XXX</saml:AttributeValue>
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">XXX</saml:AttributeValue>
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">XXX</saml:AttributeValue>
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">XXX</saml:AttributeValue>
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">XXX</saml:AttributeValue>
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">XXX</saml:AttributeValue>
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">XXX</saml:AttributeValue>
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">XXX</saml:AttributeValue>
      <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">XXX</saml:AttributeValue>
    </saml:Attribute>
  </saml:AttributeStatement>
</saml:Assertion>

ikakavas · June 17, 2020, 5:17pm

You need to check your logs, the reason is there. See point 4 in https://www.elastic.co/guide/en/elasticsearch/reference/current/trb-security-saml.html

Muhammad_Umair_Baig · June 18, 2020, 1:40am

Thank you for your response. All the logs are at DEBUG or TRACE level. Sorry my bad i posted the wrong response mistakenly:
url hit after SSO Authentication was done: https://localhost:5601/api/security/v1/saml
Response: {"statusCode":404,"error":"Not Found","message":"Not Found"}

log trace:

[2020-06-18T06:27:27,897][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [node1] Mapping user [UserData{username:uuidc509b45d-0172-1cbb-ae6b-8d3f712e595a; dn:null; groups:[]; metadata:{saml_nameid_format=urn:oasis:names:tc:SAML:2.0:nameid-format:transient, saml(lastName)=[LAST_NAME], saml(emailaddress)=[MY_EMAIL_ADDRESS], saml(uid)=[CODE_VALUE], saml_nameid=uuidc509b45d-0172-1cbb-ae6b-8d3f712e595a, saml(firstName)=[FIRST_NAME], saml(cn)=[FULL_NAME], saml(blueGroups)=[cn=COMMA_SEPARATED_MULTIPLE_VALUES]}; realm=saml1}] to roles [[bdm_own_index]]

elasticsearch.yml setting

xpack.security.authc.realms.saml.saml1:
  order: 0
  signing.key: certs/instance.key
  signing.certificate: certs/instance_pub.pem
  encryption.certificate: certs/instance_pub.pem
  encryption.key: certs/instance.key
  idp.metadata.path: samlidp2_IBM_metadata_CIS_STAGE.xml
  idp.entity_id: "https://w3id.alpha.sso.ibm.com/auth/sps/samlidp2/saml20"
  sp.entity_id:  "https://localhost:5601/"
  sp.acs: "https://localhost:5601/api/security/v1/saml"
  sp.logout: "https://localhost:5601/logout"
  attributes.principal: "nameid"

ikakavas · June 18, 2020, 4:50am

Still not sure how this happens, do you try to navigate there directly or do you get redirected there ? As I said above, can't guess anything more from what we have already, I'd need a HAR.

According to your logs the SAML Authentication succeeds and you get authenticated as uuidc509b45d-0172-1cbb-ae6b-8d3f712e595a with the role bdm_own_index. It could make sense that you get a 403 because bdm_own_index might not give you the necessary privileges in elasticsearch and kibana ( check the saml docs on that we have very detailed information ), but not 404

Muhammad_Umair_Baig · June 18, 2020, 12:00pm

I was directly hitting https://localhost:5601/api/security/v1/saml on my browser
if i try to open https://localhost:5601/ from my browser it is authenticated from SSO and no error in logs.

[2020-06-18T06:27:27,897][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [node1] Mapping user [UserData{username:uuidc509b45d-0172-1cbb-ae6b-8d3f712e595a; dn:null; groups:[]; metadata:{saml_nameid_format=urn:oasis:names:tc:SAML:2.0:nameid-format:transient, saml(lastName)=[LAST_NAME], saml(emailaddress)=[MY_EMAIL_ADDRESS], saml(uid)=[CODE_VALUE], saml_nameid=uuidc509b45d-0172-1cbb-ae6b-8d3f712e595a, saml(firstName)=[FIRST_NAME], saml(cn)=[FULL_NAME], saml(blueGroups)=[cn=COMMA_SEPARATED_MULTIPLE_VALUES]}; realm=saml1}] to roles [[bdm_own_index]]

error response:
{"statusCode":403,"error":"Forbidden","message":"Forbidden"}

for this i executed mentioned below curl command for role-mapping but still it is giving me statusCode 403 and Forbidden

curl -k -u elastic:ELASTIC_SEARCH_PASSWORD -X PUT "https://localhost:9200/_security/role_mapping/saml-MY_RANDOM_TEXT" -H 'Content-Type: application/json' -d'
{
  "roles": [ "bdm_own_index" ],
  "enabled": true,
  "rules": { "all": [
        { "field": { "realm.name": "saml1" } }
  ] }
}'

and also confirm that at the last of url path i have added random text like - saml-MY_RANDOM_TEXT is it fine or i need to use someother value?
https://localhost:9200/_security/role_mapping/saml-MY_RANDOM_TEXT

ikakavas · June 20, 2020, 8:08pm

You dont have to do that, this is not a way to login so we can stop looking into it. You can initiate login by simply visiting the base kibana url

This is what you need to be doing. The reason you get a 403 is because your user has no role that gives them privileges to kibana. Create a role that gives you access to kibana features as instructed here Kibana role management. | Kibana Guide [master] | Elastic and then change your role mapping so that the user gets that role too.

Muhammad_Umair_Baig · June 22, 2020, 11:36am

Awesome. it worked, Thank you so much. @ikakavas
I would preserve this as a documentation so that i can look into it if i face any problem in future. complete SAML flow is configured.
i had few concerns related to subscription if you can guide me then i can post here. and for subscription i have written a note to support team. still have not words.

system · July 20, 2020, 11:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.