TL;DR
Unable to use basic authentication as backup method with SAML configured.
The Full Story
I am configuring our ELK installation to use SAML authentication via ADFS, with basic authentication enabled as a "break-glass-in-case-of-emergency" authentication method. My first pass at enabling SAML didn't work as expected. This is no big deal, it's just a matter of working with our SAML guy to tweak it.
However, when I attempted to login using the secondary basic authentication method, I was redirected to SAML authentication and received a 401 error.
The URL I attempted to use for basic authentication was https://kibana.example.com/login
, as per the ES documentation (yes, I'm listening on port 443, behind a reverse proxy). I'm being redirected to the SAML authentication URL and am receiving the following error:
{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}
When I use basic authentication with a curl request, I retrieve data as expected. I'm sure I'm missing something basic, just not certain where or what.
Configuration files
The xpack.security
portion of my config files is below.
elasticsearch.yml
xpack:
# Configure XPack security
security:
enabled: true
# Configure HTTP-layer security
http:
ssl:
enabled: true
certificate: certs/cert.pem
certificate_authorities:
- certs/ca_root.pem
- certs/ca_int.pem
key: certs/key.pem
verification_mode: certificate
# Configure transport-layer security
transport:
ssl:
enabled: true
certificate: certs/cert.pem
certificate_authorities:
- certs/ca_root.pem
- certs/ca_int.pem
key: certs/key.pem
verification_mode: certificate
# Configure authentication
authc:
token:
enabled: true
realms:
saml:
adfs:
order: 1
enabled: true
idp:
entity_id: "http://adfs.example.com/adfs/services/trust"
metadata:
path: "https://adfs.example.com/federationmetadata/2007-06/federationmetadata.xml"
sp:
entity_id: "https://kibana.example.com"
acs: "https://kibana.example.com/kibana/api/v1/saml"
logout: "https://kibana.example.com/logout"
attributes:
principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
groups: "http://schemas.xmlsoap.org/claims/Group"
nameid_format: "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
# Native authentication.
native:
local:
order: 0
enabled: true
authentication:
enabled: true
kibana.yml
# Xpack configuration.
xpack:
# Configure xpack security.
security:
enabled: true
# Configure security.
authc:
providers:
- saml
- basic
saml:
realm: adfs