SAML SSO with WSO2 and Kibana

security

(Subhomoy Mukherjee) #21

Thanks for this, now able to login after mapping users to roles.

But noticed one thing that, if after some time I retry to login to my application and try to access the dashboard, I get the same following error as before:

Now, if I re-download the metadata file from WSO2 IS and reset all the singlesignon URLs, save everything and restart the servers, it works again - able to login.
Do we need to download the metadata file after certain durations or is there some configuration issue? Could you please advise?


(Ioannis Kakavas) #22

There is nothing on the Elasticsearch side that would override the metadata assuming you use

idp.metadata.path: saml/idp-metadata.xml

as you indicated. It looks like something on your side is overwriting that file or your WSO2 IS is changing configuration at some point. Either way there is nothing we could help you with regarding this issue.


(Subhomoy Mukherjee) #23

Hello,

Solved this issue by changing the "Valid Until" field in the metadata.xml file. The SSO works as expected now. Thanks for all the help provided.


(Ioannis Kakavas) #24

Good to hear ! Please note that if
a) If the metadata are prone to change often or have a short validity time and
b) your IDP is hosting the metdata file at an https URL that can be reached from the Elasticsearch nodes

you can set the the URL in the SAML realm configuration of Elasticsearch as such

idp.metadata.path: https://youridpserver.com/path/to/idp-metadata.xml

and possibly also set

idp.metadata.http.refresh:

to control the frequency at which Elasticsearch is fetching the metadata file from your IDP ( default is 1h ) .


(Subhomoy Mukherjee) #25

This tip definitely helps. Thanks!


(system) #26

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.