Hello Everyone,
We are having a onprem cluster 8.17.x where we are trying to configure entra id for kibana login. unable to successfully do it. unfortunately we are not getting any logs in kibana or elk after the configuration. but we are unable to login to kibana. We have done sync between Entra id and made ur the roles and user mappings are in place.
I feel it might be an issue with the roles and mappings, where elk or kibana are unable to fetch the entra id roles .
Are you following this documentation here: Set up SAML with Microsoft Entra ID | Elastic Docs ?
Have you reached out to support yet? Since this is a paid feature you must have a license which comes with support as well.
Yes, we have followed the docs. and reached out to support. Support team is not of much help. they are not engaging enough with us to resolve the issue
Hi @AKAM14
First did you know you can search the Knowledge Base Articles in the support portal, lots of good stuff there
I have debugged many SAML setups (not so much MS Entra)
But it usually comes down to a couple of things
So here is what I suggest
Turn On Logging in Elasticsearch at TRACE level, and you will see the very fine details of the flow and error messages.
The Below will turn on the low-level tracing ... Which node will handle these request, you will need to find that node
^^^ That's why I do ALL this testing on a single-node cluster before I try to take it to a multi-node. Also, using a single-node cluster also minimized restart time after changes to elasticsearch.yml (That's a pro-tip 
)
This is the ONLY way to debug SAML as far as I am concerned.
PUT _cluster/settings
{
"transient" : {
"logger.org.elasticsearch.xpack.security.authc.saml" : "TRACE",
"logger.org.elasticsearch.xpack.security.authz" : "TRACE"
}
}
To turn the above off
PUT _cluster/settings
{
"transient" : {
"logger.org.elasticsearch.xpack.security.authc.saml" : null,
"logger.org.elasticsearch.xpack.security.authz" : null
}
}
also you can
Kibana Logging: Add logging.verbose: true to your kibana.yml file.
When you try to log in with the SAML ...
You need to be tailing the logs, in the log there will be the detail that shows what fields are actually being passed to elastic or errors or both... Look at this carefully it will tell you exactly what is wrong
Fix any obvious errors and
Only THEN can you know how to set up the actual role mapping looking at what fields are being passed in
The next thing I do is set up a "wide open" role mapping to see if it works
This will basically map anyone to super user
POST /_security/role_mapping/SAML_kibana
{
"enabled": true,
"roles": [ "superuser" ],
"rules" : {
"all" : [
{
"field" : {
"realm.name" : "kibana-realm"
}
}
]
},
"metadata": { "version": 1 }
}
THEN if that works, and now that you can see what fields are actually being passed in from SAML then you can work on a real role mapping
POST /_security/role_mapping/SAML_kibana
{
"enabled": true,
"roles": [ "superuser" ],
"rules" : {
"all" : [
{
"field" : {
"realm.name" : "kibana-realm"
}
},
{
"field" : {
"group" : [
"admin"
]
}
}
]
},
"metadata": { "version": 1 }
}
Hope this helps a bit
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.