Unable to enable saml for cloud deployment with Azure

Jude_Jerome · November 9, 2022, 8:01am

Hello There,

I am trying to enable saml for cloud deployment running with 8.3.2 version by following the below docs

As a first step I am trying to add the below configuration in elasticsearch yml file.

xpack.security.authc.realms.saml.saml1:
  order: 2
  idp.metadata.path: "https://login.microsoftonline.com/****************/federationmetadata/2007-06/federationmetadata.xml?appid=********1"
  idp.entity_id: "http://stfs.bosch.com/adfs/services/trust"
  sp.entity_id:  "https://name.kb.westeurope.azure.elastic-cloud.com:**"
  sp.acs: "https://name.kb.westeurope.azure.elastic-cloud.com:**/api/security/saml/callback"
  sp.logout: "https://name.kb.westeurope.azure.elastic-cloud.com:**/logout"
  attributes.principal: "urn:oid:0.9.2342.19200300.100.1.1"
  attributes.groups: "urn:oid:1.3.6.1.4.1.5923.1.5.1."

Since the above onw dint worked tried the below one (More or less same )

xpack.security.authc.realms.saml.kibana-realm:
            order: 2
            attributes.principal: nameid
            attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
            idp.metadata.path: "https://login.microsoftonline.com/*******/federationmetadata/2007-06/federationmetadata.xml?appid=*****51"
            idp.entity_id: "http://stfs.bosch.com/adfs/services/trust"
            sp.entity_id: "https://name.kb.westeurope.azure.elastic-cloud.com:**"
            sp.acs: "https://name.kb.westeurope.azure.elastic-cloud.com:**/api/security/saml/callback"
            sp.logout: "https://name.kb.westeurope.azure.elastic-cloud.com:**/logout"

However the deployment does not accept the above configuration and after cluster restart I could not see the above settigs in deployment.

Any inputs on this topic from anyone ? why does the deployment does not accept the configuration.

Yang_Wang · November 10, 2022, 12:30am

However the deployment does not accept the above configuration and after cluster restart I could not see the above settigs in deployment.

You have to be more specific on what error you are having. What do you mean by "deployment does not accept above configuration"? Some configuration error will cause node to fail to start. Is that what you experiencing? Also, what does it mean "I could not see the above settigs in deployment"? How did you check that? Did you encounter any error? If so, what are the exact error messages (both from response and server logs)?

Jude_Jerome · November 10, 2022, 4:24pm

Hello Yang,

I dont see any error for this. After saving the setting cluster became unhealthy stating last configuration could not be applied.

There was a problem applying this configuration change

Please try again and if the problem persists contact Support.

Plan change failed: Some instances were not running

After this error when i check the elasticsearch yml file I could not find the settings which i have added.

Since it is on elastic cloud we are not able to see inside the node what went wrong. And I am wondering if the settings is correct.

Yang_Wang · November 14, 2022, 12:35am

Since you are on Elastic Cloud, I encourage you use your support contract and raise it to the support team (as suggested in the error message). The support team has experts and dedicated toolings that can make troubleshooting much easier than on the forum. Thanks!

Jude_Jerome · December 14, 2022, 1:33pm

I think we have figured out to resolve this issue.

The problem is unlike enterprise setting the attribute setting

attributes.principal: nameid

Is not acceptable. Hence we need to change it to

attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"

Post that settings were accepted and saml enabled

system · January 11, 2023, 1:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.