Unable to login to kibana . getting {"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user Error


(Udaya Ganga Santosh Kumar Palivela) #1

please follow the below link for detailed explanation


Kibana SOS configuration with OKTA

Not able to login to the kibana through SOS .Getting the following error when trying to login to kibana

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate={ 0=&quot;Bearer realm=\&quot;security\&quot;&quot; & 1=&quot;Basic realm=\&quot;security\&quot; charset=\&quot;UTF-8\&quot;&quot; } } }

We created the users in kibana and okta with the same names and provided super user privileges .

In the Okta groups are created with name elasticadmin , same user is assigned to group .The user and groups are also assigned application

Created Deployment in elastic cloud and applied the configurations as follows.

We followed the steps from the below url and followed it in the same order








type: saml

order: 2

attributes.principal: "nameid:persistent"

attributes.groups: "groups"

idp.metadata.path: "https://dev-782126.oktapreview.com/app/exkhqawlen68fzSuB0h7/sso/saml/metadata"

idp.entity_id: "http://www.okta.com/exkhqawlen68fzSuB0h7"

sp.entity_id: "https://6213c4f5xxx.us-east-1.aws.found.io:9243/"

sp.acs: "https://6213c4fxxx.us-east-1.aws.found.io:9243/api/security/v1/saml"

sp.logout: "https://6213c4f57f8a4f7aa9f375d5e49dff30.us-east-1.aws.found.io:9243/logout"

We map an elasticadmin group to the superuser role as follows from API Console

"enabled": true,
"roles": [ "superuser" ],
"rules": {
"field": { "groups": "elasticadmin" }
"metadata": { "version": 1 }


xpack.security.authProviders: [saml]

server.xsrf.whitelist: [/api/security/v1/saml]


protocol: https

hostname: 6213c4f57f8xxxxx.us-east-1.aws.found.io

port: 9243

We are using OKTA as IDP and its configurations is as follows

We found no errors in the Okta Log and it seems everything is fine there .

Please let me know what might be the cause and suggest us the solutions .

If there any other configurations are required or anything wrong in my configuration please let us know so that we will change accordingly and test it

(Ioannis Kakavas) #2

Hi there,

Please don't post unformatted code as it's very hard to read.

Instead paste the text and format it with </> icon, and check the preview
window to make sure it's properly formatted before posting it. This makes it
more likely that your question will receive a useful answer.

Also please add all related information in your post here, people don't usually feel very positive to click links to external URLs/Documents.

It would be great if you could update your post to solve this.

(Ioannis Kakavas) #3

This is the error you are getting. In case 3 from our troubleshooting guide, we explain what the cause of this might be. You need to look at your Elasticsearch logs, an error message will be printed there that is relevant to what went wrong.

From a quick look at your config it looks like that this is a configuration error with regards to the SAML Service Provider Entity ID. Your elasticsearch.yml has

sp.entity_id: "https://6213cxxx.us-east-1.aws.found.io:9243/"

while your Okta configuration has


set as the Audience URI (SP Entity ID), judging from the SAML Response. Mind the trailing / .
You can remove the / from your elasticsearch.yml or add it in your OKTA config, it doesn't really matter. The Entity ID is just a string ( Using a URL for it is a good convention ) and it is matched as a string, not as a canonicalized URL.

(Udaya Ganga Santosh Kumar Palivela) #4

After making the suggested changes i am getting the following error .

{"message":"action [indices:data/read/search] is unauthorized for user [pudaysantosh@magazinemanager.com]: [security_exception] action [indices:data/read/search] is unauthorized for user [pudaysantosh@magazinemanager.com]","statusCode":403,"error":"Forbidden"}

Elastic search Cloud Id:

kibana search Cloud Id:

my configuration are as follows
-------------- elasticsearch.yml-----------------

              type: saml
              order: 2
              attributes.principal:        "email" 
              attributes.groups:           "Role" 
              idp.metadata.path:           "https://dev-782126.oktapreview.com/app/exkhqawlen68fzSuB0h7/sso/saml/metadata" 
              idp.entity_id:               "http://www.okta.com/exkhqawlen68fzSuB0h7" 
              sp.entity_id:                "https://6213c4xxx.us-east-1.aws.found.io:9243/" 
              sp.acs:                      "https://6213c4xxxx.us-east-1.aws.found.io:9243/api/security/v1/saml"
              sp.logout:                   "https://6213c4fxxxx.us-east-1.aws.found.io:9243/logout"

-------------- kibana.yml-----------------
xpack.security.authProviders: [saml]
server.xsrf.whitelist: [/api/security/v1/saml]
protocol: https
hostname: 6213c4fxxxx.us-east-1.aws.found.io
port: 9243 .

please let me know the cause ?

(Ioannis Kakavas) #5


Please make an effort to remove possibly sensitive information from your configuration and don't post any unnecessary details in a public forum.

Your error message indicates that the user that you logged in with doesn't have the necessary permissions. This means that

  • Either your role mapping is wrong / doesn't apply to that user
  • Or the role that gets assigned to that user via the role mapping doesn't grant them the necessary privileges.
  1. Please share with us the role mappings you have created. Do that by querying Elasticsearch, i.e.

    GET /_xpack/security/role_mapping/<nameofthemappinghere>

    and not by copying the examples from the documentation.

  2. If you have created custom roles that you assign to users via the aforementioned role mappings, also share the role definitionss

  3. Share with us the response from the _authenticate API by executing

    GET _xpack/security/_authenticate

    after you log in with SAML.

(system) closed #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.