SAML SSO with WSO2 and Kibana

subhomoy.mukherjee · October 17, 2018, 2:27pm

Thanks for this, now able to login after mapping users to roles.

But noticed one thing that, if after some time I retry to login to my application and try to access the dashboard, I get the same following error as before:

subhomoy.mukherjee:

Due to this, I get the below in the logs:

[2018-10-16T15:50:39,652][WARN ][o.e.x.s.a.s.SamlAuthenticator] [hQ9aV9b] The XML Signature of this SAML message cannot be validated. Please verify that the saml realm uses the correct SAMLmetadata file/URL for this Identity Provider
[2018-10-16T15:50:39,655][WARN ][o.e.x.s.a.AuthenticationService] [hQ9aV9b] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[SAML Signature [zmMT/0xpQWinHr+qhdmDMc0rGiw=
Sui...] could not be validated against []])

Now, if I re-download the metadata file from WSO2 IS and reset all the singlesignon URLs, save everything and restart the servers, it works again - able to login.
Do we need to download the metadata file after certain durations or is there some configuration issue? Could you please advise?

ikakavas · October 17, 2018, 4:38pm

There is nothing on the Elasticsearch side that would override the metadata assuming you use

idp.metadata.path: saml/idp-metadata.xml

as you indicated. It looks like something on your side is overwriting that file or your WSO2 IS is changing configuration at some point. Either way there is nothing we could help you with regarding this issue.

subhomoy.mukherjee · October 29, 2018, 1:58pm

Hello,

Solved this issue by changing the "Valid Until" field in the metadata.xml file. The SSO works as expected now. Thanks for all the help provided.

ikakavas · October 29, 2018, 2:14pm

Good to hear ! Please note that if
a) If the metadata are prone to change often or have a short validity time and
b) your IDP is hosting the metdata file at an https URL that can be reached from the Elasticsearch nodes

you can set the the URL in the SAML realm configuration of Elasticsearch as such

idp.metadata.path: https://youridpserver.com/path/to/idp-metadata.xml

and possibly also set

idp.metadata.http.refresh:

to control the frequency at which Elasticsearch is fetching the metadata file from your IDP ( default is 1h ) .

subhomoy.mukherjee · October 30, 2018, 12:37pm

ikakavas:

you can set the the URL in the SAML realm configuration of Elasticsearch as such
idp.metadata.path: https://youridpserver.com/path/to/idp-metadata.xml
and possibly also set
idp.metadata.http.refresh:

This tip definitely helps. Thanks!

system · November 27, 2018, 12:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.