Were having difficulty troubleshooting getting saml working with our Azure AD.
i have been following this thread and has been helpful and we have run into a similar issue. We are now getting a 401 error when trying to login. From the logs it seems to be a SAML metadata issues i was thinking from the metadata created by ES. i created the metadata with the cmd /usr/share/elasticsearch/bin/x-pack/saml-metadata using no options just take the configs that are entered. The SAML/Azure admin and I are both unsure why this is still an issue. Below are the error codes we get from the browser:
{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate="Basic realm=\"security\" charset=\"UTF-8\"" } } :: {"path":"/_xpack/security/saml/authenticate","query":{},"body":"{\"ids\":[],\"content\":\
and in the ES logs we find:
The XML Signature of this SAML message cannot be validated. Please verify that the saml realm uses the correct SAMLmetadata file/URL for this Identity Provider
[2018-03-28T21:42:39,927][WARN ][o.e.x.s.a.AuthenticationService] [magellan-elasticsearch-data-qa-0.localdomain] Authentication to realm saml1 failed - Provided SAML response is not valid for realm saml/saml1 (Caused by ElasticsearchSecurityException[SAML Signature [lb617vKxZbxLezNBhweFLzHNTIMM19ML...] could not be validated against [MIIC8DCCAdigAwIBAgIQOmhwXlZ+HblG/FMnDxqT7DANBgkqhkiG9w0BAQsFADA0...]])
this is our current config for ES and Kibana
elasticsearch.yml
cluster.name: qa
node.name: elasticsearch-data-qa-0.localdomain
path.data: "/var/lib/elasticsearch"
path.logs: "/var/log/elasticsearch"
network.host: 0.0.0.0
cloud:
node.auto_attributes: true
discovery:
zen.hosts_provider: ec2
ec2:
endpoint: ec2.us-west-2.amazonaws.com
host_type: private_ip
groups: es-tf-qa
tag.env: qa
node_cache_time: 20s
xpack:
security.transport.ssl.enabled: 'true'
security.transport.ssl.verification_mode: certificate
security.transport.ssl.keystore.path: "/etc/elasticsearch/es-cert.p12"
security.transport.ssl.truststore.path: "/etc/elasticsearch/es-cert.p12"
security.http.ssl.enabled: 'true'
security.http.ssl.keystore.path: "/etc/elasticsearch/es-cert.p12"
security.http.ssl.truststore.path: "/etc/elasticsearch/es-cert.p12"
security.authc:
token.enabled: true
realms.saml1:
type: saml
order: 2
idp.metadata.path: samles.xml
idp.entity_id: https://sts.windows.net/dda1dc18-8a23-4b49-a9d4-f1d617ba8e0c/
sp.entity_id: https://kibana-qa.ops.example.com:5601/
sp.acs: https://kibana-qa.ops.example.com:5601/api/security/v1/saml
sp.logout: https://kibana-qa.ops.example.com:5601/logout
attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
attributes.principal: "urn:oid:0.9.2342.19200300.100.1.1"
attributes.groups: "urn:oid:1.3.6.1.4.1.5923.1.5.1."
attributes.principal: "nameid:persistent"
attributes.groups: "roles"
realms.native:
type: native
order: '0'
security.audit.enabled: 'true'
kibana.yml
server.port: 5601
server.host: kibana-qa.ops.example.com
elasticsearch.url: https://es-qa.ops.example.com:9200
elasticsearch.username: elastic
elasticsearch.password: Password
server.ssl.cert: /usr/local/kibana-6.2.3/config/star_ops_example_com.bundle_crt
server.ssl.key: /usr/local/kibana-6.2.3/config/star_ops_example_com.key
logging.dest: /var/log/kibana.log
xpack.security.authProviders: [saml]
xpack.reporting.enabled: true
server.xsrf.whitelist: [/api/security/v1/saml]