SAML with Onelogin

I am currently trying to get SAML auth working with OneLogin .
Version : Elastic Cloud Cluster 7.4

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate={ 0=\"Bearer realm=\\\"security\\\"\" & 1=\"ApiKey\" & 2=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" } } }"}

Elasticsearch config:

xpack:
  security:
    authc:
      realms:
        saml: 
          cloud-saml: 
            order: 2
            attributes.principal: "nameid:persistent" 
            attributes.groups: "groups" 
            idp.metadata.path: "https://app.onelogin.com/saml/metadata/xxx" 
            idp.entity_id: "https://app.onelogin.com/saml/metadata/xxx" 
            sp.entity_id: "https://8e1d.us-east-1.aws.found.io:9243/" 
            sp.acs: "https://8e1d.us-east-1.aws.found.io:9243/api/security/v1/saml"
            sp.logout: "https://8e1d.us-east-1.aws.found.io:9243/logout"

Kibana config:

xpack.security.authc.providers: [saml, basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.authc.saml.realm: cloud-saml

SAML Stuff for /api/security/v1/saml

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="Rf6dd186d758d8bba33ea4d110d8990b2958ce5a8" Version="2.0" IssueInstant="2019-10-14T22:02:47Z" Destination="{recipient}" InResponseTo="_f39ff7cc60b3fb475bc0d4d1c51e8369fe3b99c4">
   <saml:Issuer>https://app.onelogin.com/saml/metadata/13e12235-b801-4ff4-85c6-5cadc0ee3890</saml:Issuer>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </samlp:Status>
   <saml:Assertion xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Version="2.0" ID="pfxd6935572-7039-d89c-e643-c11bbd71491d" IssueInstant="2019-10-14T22:02:47Z">
      <saml:Issuer>https://app.onelogin.com/saml/metadata/13e12235-b801-4ff4-85c6-5cadc0ee3890</saml:Issuer>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
            <ds:Reference URI="#pfxd6935572-7039-d89c-e643-c11bbd71491d">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
               <ds:DigestValue>xxx</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue></ds:SignatureValue>
         <ds:KeyInfo>
            <ds:X509Data>
               <ds:X509Certificate>ccccc</ds:X509Certificate>
            </ds:X509Data>
         </ds:KeyInfo>
      </ds:Signature>
      <saml:Subject>
         <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">jakobant@gmail.com</saml:NameID>
         <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="2019-10-14T22:05:47Z" Recipient="{recipient}" InResponseTo="_f39ff7cc60b3fb475bc0d4d1c51e8369fe3b99c4" />
         </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Conditions NotBefore="2019-10-14T21:59:47Z" NotOnOrAfter="2019-10-14T22:05:47Z">
         <saml:AudienceRestriction>
            <saml:Audience>{audience}</saml:Audience>
         </saml:AudienceRestriction>
      </saml:Conditions>
      <saml:AuthnStatement AuthnInstant="2019-10-14T22:02:46Z" SessionNotOnOrAfter="2019-10-15T22:02:47Z" SessionIndex="_47fbf670-d0fc-0137-c88e-31b1babba584">
         <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
         </saml:AuthnContext>
      </saml:AuthnStatement>
      <saml:AttributeStatement>
         <saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">asdf</saml:AttributeValue>
         </saml:Attribute>
      </saml:AttributeStatement>
   </saml:Assertion>
</samlp:Response>

I'm sorry you're going to need to give more details in order for us to be able to help you.

• What environment are you running in? Your config has cloud-saml - are you running on the Elastic Cloud Elasticsearch Service?
• What do the elasticsearch logs say?

Please don't post unformatted code, logs, or configuration as it's very hard to read.

Instead, paste the text and format it with </> icon or pairs of triple backticks (```), and check the preview window to make sure it's properly formatted before posting it. This makes it more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.

You have configured elasticsearch to try an extract a NameId with persistent ("urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" ) format from the Subject of the SAML Assertion in order to map it as the user's principal

attributes.principal: "nameid:persistent"

but your IDP is sending a NameId with transient format

<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">jakobant@gmail.com</saml:NameID>

Either configure your IDP to change the format of the NameId it sends, or change your configuration to

attributes.principal: "nameid"

Thank you for your reply.

I am rather new to SAML and there is a lot of material to read up on.

I will look into the IDP the Onelogin service has and see how I can change it.

Yes, I am running on the Elastic Cloud Elasticsearch service.
There are not much error, warn to gain from the logs.
Perhaps there is a way to enable more logging in the cloud services that I could access.

After various trial and error, I gave up on the Cloud... for a while.

Installed elasticsearch and kibana with docker-compose to get the debugging logs that I needed.
(in basic started from : http://codingfundas.com/setting-up-elasticsearch-6-8-with-kibana-and-x-pack-security-enabled/index.html with few tweeks)
Enable trial license... .i.e. https://www.elastic.co/guide/en/elasticsearch/reference/7.4/start-trial.html

docker-compose.yml

version: '3'
services:
  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.4.0
    environment:
      - discovery.type=single-node
      - logger.level=DEBUG
    ports:
      - 9200:9200
    volumes:
      - ./elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
      - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
      - ./docker-data-volumes/elasticsearch:/usr/share/elasticsearch/data

  kibana:
    depends_on:
      - elasticsearch
    image: docker.elastic.co/kibana/kibana:7.4.0
    ports:
      - 5601:5601
    volumes:
      - ./kibana.yml:/usr/share/kibana/config/kibana.yml

elasticsearch.yml

cluster.name: my-elasticsearch-cluster
network.host: 0.0.0.0
#xpack.security.enabled: true
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.keystore.type: PKCS12
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.type: PKCS12
xpack.security.authc.token.enabled: true
xpack.security.authc.realms:
  saml:
    saml1:
      order: 2
      idp.metadata.path: "https://app.onelogin.com/saml/metadata/xxxxx"
      idp.entity_id: "https://app.onelogin.com/saml/metadata/xxxxx"
      sp.entity_id:  "http://localhost:5601/"
      sp.acs: "http://localhost:5601/api/security/v1/saml"
      sp.logout: "http://localhost:5601/logout"
      attributes.principal: "nameid"
      attributes.groups: "memberOf"
      attributes.name: "name"

kibana.yml

server.name: kibana
server.host: "0"
elasticsearch.hosts: [ "http://elasticsearch:9200" ]
elasticsearch.username: kibana
elasticsearch.password: xxxxxxxxxxx

xpack.security.authc.providers: [saml, basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.authc.saml.realm: saml1

OneLogin setup:

Screenshot 2019-10-15 at 21.54.53.png1005×499 30.3 KB

Screenshot 2019-10-15 at 21.49.52.png708×1141 63.1 KB

The basic error that I was getting was because of the missing/lacking "Audience" and "Recipient" with the OneLogin configuration
The lack of debugging from the cloud is not good.

Implemented for the elastic.co Cloud Elasticsearch .....

End results for the cloud:

xpack:
  security:
    authc:
      realms:
        saml: 
          cloud-saml: 
            order: 2
            attributes.principal: "nameid"
            attributes.groups: "memberOf"
            attributes.name: "name"
            idp.metadata.path: "https://app.onelogin.com/saml/metadata/xxxxx"
            idp.entity_id: "https://app.onelogin.com/saml/metadata/xxxxx"
            sp.entity_id: "https://kibana....us-east-1.aws.found.io:9243/"
            sp.acs: "https://kibana.....us-east-1.aws.found.io:9243/api/security/v1/saml"
            sp.logout: "https://kibana....us-east-1.aws.found.io:9243/logout"

xpack.security.authc.providers: [saml, basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.authc.saml.realm: cloud-saml