SAML SSO with WSO2 and Kibana

Elastic Stack Kibana
4

Ok, now I have a better idea of what you want to achieve. Two things I want to touch upon here.

1. Solution architecture

Step 3 above is not as simple as it sounds. What would basically happen is all the following:

  1. User will try to access appx which will redirect them to the SAML Identity Provider ( WSO2 Identity Server )
  2. User will authenticate with WSO2 IS by means of entering credentials in form and
    a. A session cookie ( for WSO2 IS ) will be set in the user's browser
    b. The user's browser will be redirected back to appx with a SAML Response
  3. Appx will consume the SAML Response from WSO2 IS and after validating will create a session for the user in the appx's context ( setting again a appx specific session cookie ) .

Now when the user will try to access the page where Kibana is embedded

  1. The browser will try to access kibana which will redirect them to the SAML Identity Provider ( WSO2 Identity Server ) . Kibana doesn't know that the user has already logged in to the Identity Provider. Kibana is a different Service Provider.
  2. User will be redirected to the WSO2 IS within the iframe but this request will carry the existing cookies of the user (i.e. the cookie set in 2a above ) so that WSO2 IS can determine that the user is already authenticated and so it will not prompt for authentication but instead redirect the user back to Kibana with a SAML Response.
  3. Kibana (and Elasticsearch) will handle the SAML Response as documented here and will set a Kibana specific session cookie for the user. Note that this cookie is unrelated to the appx cookie set in 3 above

A few potential issues with this:

  • You need to configure WSO2 IS user interface to be accessible from an iframe ( setting x-grame-option response header to an appropriate value ) otherwise step 5 above might fail.
  • You need to configure WSO2 IS for an appropriately large session duration so that when users open the dashboard page in appx, their original session with WSO2 IS is still valid. Otherwise they will be prompted for login within the iframe and that is not optimal UX
  • No matter how you configure things, keep in mind that the appx sessions and Kibana sessions are not connected somehow so your UI/UX should account for the fact that one of the two might expire before the other. i.e. it doesn't matter if you set your kibana sessions to expire after 3 hours if your appx sessions will expire after 10 minutes, your users will be prompted for authentication in appx even if they still have a valid session for kibana.

2. SAML Configuration

All the above will come in play after your correctly configure SAML for Kibana, as it now looks like it's not properly setup.

This means kibana falls back to using the basic authProvider because something goes wrong with handling the incoming SAML Response or because it can't even generate the SAML Request to WSO IS. You can find out what goes wrong by checking the logs from elasticsearch, we would have printed appropriate [ERROR] messages that can guide us through to resolution.

You can also enable more detailed logging for SAML by setting the appropriate level i.e.

PUT /_cluster/settings
{
  "transient": {
    "logger.org.elasticsearch.xpack.security.authc.saml": "trace"
  }
}

Hope this helps

2 Likes