SESSION_EXPIRED while login kibana

I faced an issue, when i login the kibana ,after i login , the browser will go to

Environment of my ELK
two nodes for kibana, there is a loud balance those two kibabas, and SAML in enable in this environment.

when i remove one kibana, so the environment only have one kibana, i can login successfully.

here is the configuration in kibana
server.port: 5601 ""
protocol: https
port: 443
elasticsearch.url: "https://10.8.160.XXX:9200"
elasticsearch.url: "https://10.8.160.XXX:9200"
elasticsearch.url: "https://10.8.160.XXX:9200"
elasticsearch.url: "https://10.8.160.XXX:9200"
elasticsearch.url: "https://10.8.160.XXX:9200"
elasticsearch.url: "https://10.8.160.XXX:9200"
elasticsearch.url: "https://10.8.160.XXX:9200"
elasticsearch.url: "https://10.8.160.XXX:9200"
kibana.index: ".kibana"
kibana.defaultAppId: "home"
elasticsearch.username: "elastic"
elasticsearch.password: "XXXXXXX"
logging.dest: /var/log/kibana/kibana.log
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/kibana-2/kibana.crt
server.ssl.key: /etc/kibana/kibana-2/kibana.key
elasticsearch.ssl.verificationMode: none
#xpack.license.self_generated.type: trial [saml]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.monitoring.elasticsearch.requestHeadersWhitelist: [ es-security-runas-user, authorization ]

the two nodes' configuration are the same.
the version of kibana and elastic is version 6.3.1

As I've also mentioned in other topics you've opened:

Please take the time to do this, it makes your post so much easier to consume and that means you have better chances of getting a response.

This is unrelated to your issue, but you only need one
elasticsearch.url: "https://10.8.160.XXX:9200"
in your configuration.

In order to make sure that SAML Authentication succeeds when using a load balancer in front of Kibana, you need to ensure that:

  • Your X Kibana instances need to use the same This is unrelated to SAML and would be required even if you used basic authentication for Kibana. It is required so that all Kibana instances can verify the authentication cookie that one of them generates after successful authentication, in case the user gets to a different Kibana instance (due to LB configuration) while they have an active session.

  • You need to setup your LB with a certain session affinity. The details of how to do that are specific to you LB, but you need to configure it in such a way so that both the

    • The original request to Kibana ( Step 1 in the diagram available here )
    • The final request to Kibana with the SAML Response (Step 6 in the diagram above)
      reach the same Kibana instance.

    The reason for that is that Kibana generates and stores the SAML Authentication RequestID in step 1 and it also passes it to Elasticsearch for verification in step 6. So if the request to step 6, reaches another Kibana instance, it would have no way to inform Elasticseach what the valid RequestID is and the authentication will fail.
    The required duration for the session affinity depends on network latency and the user themselves ( how quickly they fill in the authentication form in the SAML Identity Provider, whether they are already logged in there or not, etc.) but I would start with a few minutes at least and work my way from there.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.