SSO\SAML auth failure

Good afternoon,
I am working on enabling SSO within my test environment and I was able to get everything registered and created on my end. (sp_metadata file and yml file update) Once I made the update on the ES yml and Kibana yml file on my end, Kibana goes on a service loop every 5 seconds and throws these errors out. Once I comment out the xpack settings in kibana yml, it goes back to basic authentication and I am able to login successfully. Can someone please explain to me what this error means?

My yml files are below-I have masked server name for security reasons.

Kibana yml xpack settings

#xpack.security.authProviders: [saml, basic]
#xpack.security: enabled

ES yml xpack settings

xpack.security.enabled: true
xpack.security.authc.token.enabled: true
xpack.security.authc.realms:
 native.realm1:
   order: 0

xpack.security.authc.realms.saml.saml1:
  order: 1
  idp.metadata.path: /etc/elasticsearch/config/saml/idp-metadata.xml
  idp.entity_id: "https://server.sso.com/auth/sps/samlidp2/saml20"
  sp.entity_id:  "https://server.com:5601/app/kibana"
  sp.acs: "https://server.com:5601/api/security/v1/saml"
  sp.logout: "https://server.com:5601/logout"
  attributes.principal: "emailaddress"

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/config/certs/elastic-certificates.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/config/certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: /etc/elasticsearch/config/certs/elastic-certificates.p12

{"type":"log","@timestamp":"2019-06-09T19:06:07Z","tags":["fatal","root"],"pid":49792,"message":"{ ValidationError: child \"xpack\" fails because [child \"security\" fails because [\"security\" must be an object]]\n    at Object.exports.process (/usr/share/kibana/node_modules/joi/lib/errors.js:196:19)\n    at internals.Object._validateWithOptions (/usr/share/kibana/node_modules/joi/lib/types/any/index.js:675:31)\n    at module.exports.internals.Any.root.validate (/usr/share/kibana/node_modules/joi/lib/index.js:146:23)\n    at Config._commit (/usr/share/kibana/src/legacy/server/config/config.js:139:35)\n    at Config.set (/usr/share/kibana/src/legacy/server/config/config.js:108:10)\n    at Config.extendSchema (/usr/share/kibana/src/legacy/server/config/config.js:81:10)\n    at extendConfigService (/usr/share/kibana/src/legacy/plugin_discovery/plugin_config/extend_config_service.js:45:10) name: 'ValidationError' }"}
{"type":"log","@timestamp":"2019-06-09T19:06:14Z","tags":["plugin","warning"],"pid":49812,"path":"/usr/share/kibana/src/legacy/core_plugins/ems_util","message":"Skipping non-plugin directory at /usr/share/kibana/src/legacy/core_plugins/ems_util"}
{"type":"log","@timestamp":"2019-06-09T19:06:15Z","tags":["fatal","root"],"pid":49812,"message":"{ ValidationError: child \"xpack\" fails because [child \"security\" fails because [\"security\" must be an object]]\n    at Object.exports.process (/usr/share/kibana/node_modules/joi/lib/errors.js:196:19)\n    at internals.Object._validateWithOptions (/usr/share/kibana/node_modules/joi/lib/types/any/index.js:675:31)\n    at module.exports.internals.Any.root.validate (/usr/share/kibana/node_modules/joi/lib/index.js:146:23)\n    at Config._commit (/usr/share/kibana/src/legacy/server/config/config.js:139:35)\n    at Config.set (/usr/share/kibana/src/legacy/server/config/config.js:108:10)\n    at Config.extendSchema (/usr/share/kibana/src/legacy/server/config/config.js:81:10)\n    at extendConfigService (/usr/share/kibana/src/legacy/plugin_discovery/plugin_config/extend_config_service.js:45:10) name: 'ValidationError' }"}

Which subscription level are you using? From the subscriptions page I linked to it seems SSO requires a commercial platinum (or trial) license.

Your kibana settings are wrong ,

xpack.security: enabled

should instead be

xpack.security.enabled: true

Also lose the # in front of the two lines in kibana settings as this denotes a comment in YAML

Thanks @ikakavas-I had originally commented the two out so I could get Kibana in a working state and forgot to uncomment them out when applying the settings here. I made the changes and restarted the service and Kibana is still unreachable with a new error. (one side note, this is a 3 node cluster but the SAML settings were only applied to the same ES host that Kibana resides on, that isn't or should be the cause of the issue, should it?)

This is running ES 7.1 and Kibana 7.1

Here is the new error-

{"type":"log","@timestamp":"2019-06-10T10:44:44Z","tags":["info","authentication"],"pid":9262,"message":"Authentication attempt failed: [security_exception] Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://server.com:5601/api/security/v1/saml}]"}
{"type":"error","@timestamp":"2019-06-10T10:44:44Z","tags":[],"pid":9262,"level":"error","error":{"message":"[security_exception] Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://server.com:5601/api/security/v1/saml}]","name":"Error","stack":"[security_exception] Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://server.com:5601/api/security/v1/saml}] :: {\"path\":\"/_security/saml/prepare\",\"query\":{},\"body\":\"{\\\"acs\\\":\\\"https://server.com:5601/api/security/v1/saml\\\"}\",\"statusCode\":500,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://server.com:5601/api/security/v1/saml}]\\\"}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://server.com:5601/api/security/v1/saml}]\\\"},\\\"status\\\":500}\"}\n    at respond (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:308:15)\n    at checkRespForFailure (/usr/share/kibana/node_modules/elasticsearch/src/lib/transport.js:267:7)\n    at HttpConnector.<anonymous> (/usr/share/kibana/node_modules/elasticsearch/src/lib/connectors/http.js:166:7)\n    at IncomingMessage.wrapper (/usr/share/kibana/node_modules/elasticsearch/node_modules/lodash/lodash.js:4935:19)\n    at IncomingMessage.emit (events.js:194:15)\n    at endReadableNT (_stream_readable.js:1103:12)\n    at process._tickCallback (internal/process/next_tick.js:63:19)"},"url":{"protocol":null,"slashes":null,"auth":null,"host":null,"port":null,"hostname":null,"hash":null,"search":null,"query":{},"pathname":"/favicon.ico","path":"/favicon.ico","href":"/favicon.ico"},"message":"[security_exception] Cannot find any matching realm for [SamlPrepareAuthenticationRequest{realmName=null, assertionConsumerServiceURL=https://server.com:5601/api/security/v1/saml}]"}

Please see number 1 in our troubleshooting docs

If Kibana only talks to that ES node, then you don't need to configure the rest of the nodes for SAML.

We are now all good! I went back and was able to get this resolved by confirming that the xpack setting I had in kibana was indeed incorrect and was correct by @ikakavas. Thanks again for helping out with this and providing the troubleshooting documentation.

1 Like