Deployment ID: 020c87b
v7.9.3
I keep running into the following error while trying to authenticate to kibana on an elastic cloud deployment, using SAML (OneLogin).
Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[SAML response pfx0e3d66c7-9838-3d32-cc90-3f9a4c795988 is for destination null but this realm uses https://e1074d7a2b5a463cb1ae0a2ff799cc3d.us-east-1.aws.found.io:9243/api/security/v1/saml])
OneLogin Setup:
ACS URL - https://e1074d7a2b5a463cb1ae0a2ff799cc3d.us-east-1.aws.found.io:9243/api/security/v1/saml
SAML nameID format - Persistent
SAML issuer type - Specific
SAML signature element - Response
Issuer URL - https://app.onelogin.com/saml/metadata/7f1a1ba1-f3c8-4faa-86ee-1990b1e0beaf
Elasticsearch.yml user settings
xpack:
security:
authc:
realms:
saml:
saml1:
order: 2
attributes.principal: "nameid:persistent"
attributes.groups: "groups"
idp.metadata.path: "https://app.onelogin.com/saml/metadata/7f1a1ba1-f3c8-4faa-86ee-1990b1e0beaf"
idp.entity_id: "https://app.onelogin.com/saml/metadata/7f1a1ba1-f3c8-4faa-86ee-1990b1e0beaf"
sp.entity_id: "https://e1074d7a2b5a463cb1ae0a2ff799cc3d.us-east-1.aws.found.io:9243"
sp.acs: "https://e1074d7a2b5a463cb1ae0a2ff799cc3d.us-east-1.aws.found.io:9243/api/security/v1/saml"
sp.logout: "https://e1074d7a2b5a463cb1ae0a2ff799cc3d.us-east-1.aws.found.io:9243/logout"
kibana.yml user settings
xpack.security.authc.providers:
saml.saml1:
order: 2
realm: saml1
description: "Log in with OneLogin"
basic.basic1:
order: 0
Every related doc/post I can find indicates that Kibana is not generating the correct ACS URL to match with what elasticsearch is configured with. But in those cases, it seems the resolution has always been to confirm the acs is exactly the same configured on the IdP side and the elasticsearch side. I have confirmed this multiple times but keep running into this error. Is there anything noticeable within the configs I pasted that might explain why I keep seeing this error?