Unable to set up SAML on elastic cloud 7.9 deployment

Deployment ID: 020c87b
v7.9.3

I keep running into the following error while trying to authenticate to kibana on an elastic cloud deployment, using SAML (OneLogin).

Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[SAML response pfx0e3d66c7-9838-3d32-cc90-3f9a4c795988 is for destination null but this realm uses https://e1074d7a2b5a463cb1ae0a2ff799cc3d.us-east-1.aws.found.io:9243/api/security/v1/saml])

OneLogin Setup:


ACS URL -  https://e1074d7a2b5a463cb1ae0a2ff799cc3d.us-east-1.aws.found.io:9243/api/security/v1/saml
    SAML nameID format - Persistent 
    SAML issuer type - Specific 
    SAML signature element - Response
    Issuer URL - https://app.onelogin.com/saml/metadata/7f1a1ba1-f3c8-4faa-86ee-1990b1e0beaf

Elasticsearch.yml user settings

xpack:
  security:
    authc:
      realms:
        saml: 
          saml1: 
            order: 2 
            attributes.principal: "nameid:persistent" 
            attributes.groups: "groups" 
            idp.metadata.path: "https://app.onelogin.com/saml/metadata/7f1a1ba1-f3c8-4faa-86ee-1990b1e0beaf"
            idp.entity_id: "https://app.onelogin.com/saml/metadata/7f1a1ba1-f3c8-4faa-86ee-1990b1e0beaf"
            sp.entity_id: "https://e1074d7a2b5a463cb1ae0a2ff799cc3d.us-east-1.aws.found.io:9243"
            sp.acs: "https://e1074d7a2b5a463cb1ae0a2ff799cc3d.us-east-1.aws.found.io:9243/api/security/v1/saml"
            sp.logout: "https://e1074d7a2b5a463cb1ae0a2ff799cc3d.us-east-1.aws.found.io:9243/logout"

kibana.yml user settings


xpack.security.authc.providers:
  saml.saml1:
    order: 2
    realm: saml1
    description: "Log in with OneLogin" 
  basic.basic1:
    order: 0

Every related doc/post I can find indicates that Kibana is not generating the correct ACS URL to match with what elasticsearch is configured with. But in those cases, it seems the resolution has always been to confirm the acs is exactly the same configured on the IdP side and the elasticsearch side. I have confirmed this multiple times but keep running into this error. Is there anything noticeable within the configs I pasted that might explain why I keep seeing this error?

I think your Identity Provider is misconfigured or its implementation has a bug. It looks like it adds a Destination element to the signed SAML Response with a value of null ( as in the String "null" )

The standard - 3.5.5.2 and 3.2.2 mentions that the Destination element is optional and should only be verified when the SAML Response is signed. Since your SAML Response is signed, and the Destination element has a value, we attempt to verify it's value and fail to do so as the expected value would be https://e1074d7a2b5a463cb1ae0a2ff799cc3d.us-east-1.aws.found.io:9243/api/security/v1/saml for your deployment.

I would look into your One Login configuration to see if you can add a value for Destination or if there is an option to not include it in the SAML Response at all. If none is available, I would suggest that you open a support ticket with them so that they can fix their configuration/implementation if need be. You can reference this post here in your ticket if need be.

A short term workaround would be to configure One Login to sign the SAML Assertion instead of the SAML Response but I would not suggest that as a permanent setup.

@ikakavas - Thanks a lot. Following your advice to focus on the IdP side, I was able to find what exactly was wrong. It turns out OneLogin config for this was missing the Recipient field which seems to translate to the Destination element as it started working once I added this field.

Cheers.

1 Like