Using GSuite for SAML integration with Elastic Stack (ElasticSearch + Kibana)

security

(Chirag Shah) #1

I am trying to use GSuite to integration into my ElasticCloud Stack (ElasticSearch + Kibana) and am stuck at what attribute values to state. According to the documentation: https://www.elastic.co/guide/en/cloud/current/ec-securing-clusters-SAML.html, I have added the below for both elasticsearch.yml and kibana.yml files.

elasticsearch.yml

xpack:
security:
  authc:
    realms:
      cloud-saml:
        type: saml
        order: 2
        attributes.principal:        “nameid:user@sitecompli.com”
        attributes.groups:           “groups”
        idp.metadata.path:           “https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx”
        idp.entity_id:               “https://accounts.google.com/o/saml2?idpid=xxxxxxxxx”
        sp.entity_id:                “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.us-east-1.aws.found.io:9243/”
        sp.acs:                      “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.us-east-1.aws.found.io:9243/api/security/v1/saml”
        sp.logout:                   “xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.us-east-1.aws.found.io:9243/logout”

kibana.yml

xpack.security.authProviders: [saml]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.public:
protocol: https
hostname: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.us-east-1.aws.found.io
port: 9243

After reading the following: Issue connecting google saml with es stack, I edited the attributes.principal to "urn:oid:0.9.2342.19200300.100.1.1" and that threw an error. I am not sure if I am missing anything.

I've tried the following for attributes.principal:

The Error message I get it is:

instance-0000000009] Metadata Resolver FilesystemMetadataResolver cloud-saml: Metadata provider failed to properly initialize, fail-fast=true, halting net.shibboleth.utilities.java.support.component.ComponentInitializationException: Error refreshing metadata during init at org.opensaml.saml.metadata.resolver.impl.AbstractReloadingMetadataResolver.initMetadataResolver(AbstractReloadingMetadataResolver.java:264) ~[?:?] at org.opensaml.saml.metadata.resolver.impl.AbstractMetadataResolver.doInitialize(AbstractMetadataResolver.java:287) ~[?:?] at net.shibboleth.utilities.java.support.component.AbstractInitializableComponent.initialize(AbstractInitializableComponent.java:61) ~[?:?] at org.elasticsearch.xpack.security.authc.saml.SamlRealm.lambda$initialiseResolver$11(SamlRealm.java:628) ~[?:?] at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_144] at org.elasticsearch.xpack.security.authc.saml.SamlRealm.initialiseResolver(SamlRealm.java:627) ~[?:?] at org.elasticsearch.xpack.security.authc.saml.SamlRealm.parseFileSystemMetadata(SamlRealm.java:592) ~[?:?] at org.elasticsearch.xpack.security.authc.saml.SamlRealm.initializeResolver(SamlRealm.java:517) ~[?:?] at org.elasticsearch.xpack.security.authc.saml.SamlRealm.create(SamlRealm.java:191) ~[?:?] at org.elasticsearch.xpack.security.authc.InternalRealms.lambda$getFactories$5(InternalRealms.java:106) ~[?:?] at org.elasticsearch.xpack.security.authc.Realms.initRealms(Realms.java:191) ~[?:?] at org.elasticsearch.xpack.security.authc.Realms.<init>(Realms.java:68) ~[?:?] at org.elasticsearch.xpack.security.Security.createComponents(Security.java:469) ~[?:?] at org.elasticsearch.xpack.security.Security.createComponents(Security.java:399) ~[?:?] at org.elasticsearch.node.Node.lambda$new$11(Node.java:472) ~[elasticsearch-6.5.1.jar:6.5.1] at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:267) [?:1.8.0_144] at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1374) [?:1.8.0_144] at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) [?:1.8.0_144]

Please let me know if you have any thoughts on the above error message. support@elastic.co says I need to enter GSuite specific attributes for attributes.principal and attributes.groups. GSuite support says that I can keep attributes.principal to be "nameid:persistent" and attributes.groups to be "groups".

Thank you!


(Ioannis Kakavas) #2

Please don't post unformatted configurations and logs as they're very hard to read.

Instead paste the text and format it with </> icon, and check the preview
window to make sure it's properly formatted before posting it. This makes it
more likely that your question will receive a useful answer.

It would be great if you could update your post to solve this.


(Ioannis Kakavas) #3

This error doesn't have to do with your attribute mapping. It means that Elasticsearch cannot load your metadata from GSuite's Identity Provider. Reading through their instructions it doesn't look like they host their metadata on an URL that can be accessible and the https://accounts.google.com/o/saml2/idp?idpid=xxxxxxxxx you have used is the SSO URL.

Since this is actually not ECE ,you can take a look at our documentation, see step 7 here


Tbe following would apply for elastic cloud enterprise:

You need to download the SAML Metadata XML Document from GSuite and use that as follows:

  1. Prepare a ZIP file with a custom bundle that contains your Identity Provider’s metadata ( metadata.xml ) inside of a saml folder. This bundle allows all Elasticsearch containers to access the metadata file.

  2. Update your Elasticsearch cluster with the advanced configuration editor to use the bundles you prepared in the previous step. You need to modify the user_bundles JSON attribute similar to the following example:

    { "cluster_name": "xxxxxxx", 
      "plan": { 
       ... 
       "elasticsearch": { 
         "version": "6.4.1", 
         "user_bundles": [ 
            { 
              "name": "saml-metadata", 
              "url": "https://www.MYURL.com/saml.zip",
              "elasticsearch_version": "6.4.1"
            } 
         ] 
      } 
    }
    

    Custom bundles are unzipped under the path /app/config/BUNDLE_DIRECTORY_STRUCTURE , where BUNDLE_DIRECTORY_STRUCTURE is the directory structure in the ZIP file. Make sure to save the file location where custom bundles get unzipped, as you will need it in the next step.
    In this example, the SAML metadata file will be located in the path /app/config/saml/metadata.xml :

  3. Adjust your saml realm configuration accordingly:

    idp.metadata.path: /app/config/saml/metadata.xml