Unable to use Basic Auth as backup to SAML

DougR · February 10, 2020, 8:14pm

TL;DR

Unable to use basic authentication as backup method with SAML configured.

The Full Story

I am configuring our ELK installation to use SAML authentication via ADFS, with basic authentication enabled as a "break-glass-in-case-of-emergency" authentication method. My first pass at enabling SAML didn't work as expected. This is no big deal, it's just a matter of working with our SAML guy to tweak it.

However, when I attempted to login using the secondary basic authentication method, I was redirected to SAML authentication and received a 401 error.

The URL I attempted to use for basic authentication was https://kibana.example.com/login, as per the ES documentation (yes, I'm listening on port 443, behind a reverse proxy). I'm being redirected to the SAML authentication URL and am receiving the following error:

{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}

When I use basic authentication with a curl request, I retrieve data as expected. I'm sure I'm missing something basic, just not certain where or what.

Configuration files

The xpack.security portion of my config files is below.

elasticsearch.yml

xpack:
  # Configure XPack security
  security:
    enabled: true

    # Configure HTTP-layer security
    http:
      ssl:
        enabled: true
        certificate: certs/cert.pem
        certificate_authorities:
          - certs/ca_root.pem
          - certs/ca_int.pem
        key: certs/key.pem
        verification_mode: certificate

    # Configure transport-layer security
    transport:
      ssl:
        enabled: true
        certificate: certs/cert.pem
        certificate_authorities:
          - certs/ca_root.pem
          - certs/ca_int.pem
        key: certs/key.pem
        verification_mode: certificate

    # Configure authentication
    authc:
      token:
        enabled: true

      realms:
        saml:
          adfs:
            order: 1
            enabled: true
            idp:
              entity_id: "http://adfs.example.com/adfs/services/trust"
              metadata:
                path: "https://adfs.example.com/federationmetadata/2007-06/federationmetadata.xml"
            sp:
              entity_id: "https://kibana.example.com"
              acs: "https://kibana.example.com/kibana/api/v1/saml"
              logout: "https://kibana.example.com/logout"
            attributes:
              principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
              groups: "http://schemas.xmlsoap.org/claims/Group"
            nameid_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
        
        # Native authentication.
        native:
          local:
            order: 0
            enabled: true
            authentication:
              enabled: true

kibana.yml

# Xpack configuration.
xpack:
  # Configure xpack security.
  security:
    enabled: true
  
    # Configure security.
    authc:
      providers:
        - saml
        - basic
      saml:
        realm: adfs

ikakavas · February 11, 2020, 7:42am

Hi there,

You are hitting https://github.com/elastic/kibana/issues/25257. While we are working on this, please see the proposed workarounds described in that issue

DougR · February 11, 2020, 1:46pm

Thanks. I managed to miss that ticket when I was researching this issue.

system · March 10, 2020, 1:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.