Add SAML role to SearchGuard role

Hello,

I need to known if I can map a SAML role (included on IdP response at ‘ACL’ field) with the “SGS_ALL_ACCESS” built-in role to use my SAML user like an admin.

I think sg_config.yml is configured correctly with the parameter ‘roles_key’ with the value ACL.

saml_auth_domain:
          http_enabled: true
          transport_enabled: true
          order: 1
          http_authenticator:
            type: saml
            challenge: true
            config:
              idp.metadata_file: my-idp-metadata.xml
              idp.entity_id: https://my-idp-url
              sp.entity_id: kibanasaml
              roles_key: ACL
              sp.signature_algorithm: 'http://www.w3.org/2000/09/xmldsig#rsa-sha1;'
              kibana_url: http://my-kibana-url
              #sp.forceAuthn: true
              exchange_key: 'qCgXzvG.......'
          authentication_backend:
            type: noop

The SAML response for the ACL field is something like this:

"cn=ADMIN,ou=Perfs,ou=ADBSADMIN,ou=App,o=imi"

So, I map this value at file sg_roles_mapping.yml:

 SGS_ALL_ACCESS:
  reserved: true
  backend_roles:
  - "admin"
  - "cn=ADMIN,ou=Perfs,ou=ADBSADMIN,ou=App,o=imi"
  description: "Maps admin to SGS_ALL_ACCESS"

I load with sgadmin these configuration, but when I try to login with SAML I can´t:

Can you check the log files of Elasticsearch and Kibana for error messages which appear roughly at the time when you try to login at Kibana?

Elasticsearch logs have no errors, maybe I have to configure debug logging. Kibana shows these messages:

{"type":"log","@timestamp":"2021-02-23T16:59:15Z","tags":["error","elasticsearch","data"],"pid":7,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2021-02-23T16:59:15Z","tags":["error","plugins","searchguard","searchguard-multitenancy"],"pid":7,"message":"Multitenancy: Could not get authinfo AuthenticationError: Response Error"}
{"type":"response","@timestamp":"2021-02-23T16:59:15Z","tags":[],"pid":7,"method":"get","statusCode":302,"req":{"url":"/","method":"get","headers":{"host":"my-kibana-url","x-request-id":"7caae32007248ac2af47362113bbce3b","x-real-ip":"X.X.X.X","x-forwarded-for":"X.X.X.X","x-forwarded-host":"my-kibana-url","x-forwarded-port":"80","x-forwarded-proto":"http","x-original-uri":"/","x-scheme":"http","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 Edg/88.0.705.74","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","accept-encoding":"gzip, deflate","accept-language":"es,es-ES;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6"},"remoteAddress":"10.1.64.202","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 Edg/88.0.705.74"},"res":{"statusCode":302,"responseTime":37,"contentLength":9},"message":"GET / 302 37ms - 9.0B"}
{"type":"log","@timestamp":"2021-02-23T16:59:15Z","tags":["error","elasticsearch","data"],"pid":7,"message":"[ResponseError]: Response Error"}
{"type":"response","@timestamp":"2021-02-23T16:59:15Z","tags":[],"pid":7,"method":"get","statusCode":302,"req":{"url":"/auth/saml/login?nextUrl=%2F","method":"get","headers":{"host":"my-kibana-url","x-request-id":"41c7ad6acf5f90d94d511e8a9515c427","x-real-ip":"X.X.X.X","x-forwarded-for":"X.X.X.X","x-forwarded-host":"my-kibana-url","x-forwarded-port":"80","x-forwarded-proto":"http","x-original-uri":"/auth/saml/login?nextUrl=%2F","x-scheme":"http","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 Edg/88.0.705.74","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","accept-encoding":"gzip, deflate","accept-language":"es,es-ES;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6"},"remoteAddress":"10.1.64.202","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36 Edg/88.0.705.74"},"res":{"statusCode":302,"responseTime":15,"contentLength":9},"message":"GET /auth/saml/login?nextUrl=%2F 302 15ms - 9.0B"}
{"type":"log","@timestamp":"2021-02-23T17:00:50Z","tags":["error","elasticsearch","data"],"pid":7,"message":"[ResponseError]: Response Error"}
{"type":"log","@timestamp":"2021-02-23T17:00:50Z","tags":["error","plugins","searchguard","searchguard-multitenancy"],"pid":7,"message":"Multitenancy: Could not get authinfo AuthenticationError: Response Error"}
{"type":"response","@timestamp":"2021-02-23T17:00:50Z","tags":[],"pid":7,"method":"get","statusCode":302,"req":{"url":"/app/kibana","method":"get","headers":{"host":"my-kibana-url","x-request-id":"5706c672d5e6c4f623f0320a503121af","x-real-ip":"X.X.X.X","x-forwarded-for":"X.X.X.X","x-forwarded-host":"my-kibana-url","x-forwarded-port":"80","x-forwarded-proto":"http","x-original-uri":"/app/kibana","x-scheme":"http","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate","upgrade-insecure-requests":"1"},"remoteAddress":"10.1.64.202","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0"},"res":{"statusCode":302,"responseTime":17,"contentLength":9},"message":"GET /app/kibana 302 17ms - 9.0B"}
{"type":"log","@timestamp":"2021-02-23T17:00:50Z","tags":["error","elasticsearch","data"],"pid":7,"message":"[ResponseError]: Response Error"}
{"type":"response","@timestamp":"2021-02-23T17:00:50Z","tags":[],"pid":7,"method":"get","statusCode":302,"req":{"url":"/auth/saml/login?nextUrl=%2Fapp%2Fkibana","method":"get","headers":{"host":"my-kibana-url","x-request-id":"fff80ae5695b7051d15bb335b1e8c849","x-real-ip":"X.X.X.X","x-forwarded-for":"X.X.X.X","x-forwarded-host":"my-kibana-url","x-forwarded-port":"80","x-forwarded-proto":"http","x-original-uri":"/auth/saml/login?nextUrl=%2Fapp%2Fkibana","x-scheme":"http","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate","upgrade-insecure-requests":"1"},"remoteAddress":"10.1.64.202","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0"},"res":{"statusCode":302,"responseTime":55,"contentLength":9},"message":"GET /auth/saml/login?nextUrl=%2Fapp%2Fkibana 302 55ms - 9.0B"}
{"type":"log","@timestamp":"2021-02-23T17:00:54Z","tags":["error","plugins","searchguard","searchguard-auth"],"pid":7,"message":"SAML auth, failed to authorize: Error: The session cookie is absent.\n    at router.post (/usr/share/kibana/plugins/searchguard/server/applications/searchguard/auth/types/saml/routes.js:131:17)\n    at process._tickCallback (internal/process/next_tick.js:68:7)"}
{"type":"response","@timestamp":"2021-02-23T17:00:54Z","tags":[],"pid":7,"method":"post","statusCode":302,"req":{"url":"/searchguard/saml/acs","method":"post","headers":{"host":"my-kibana-url","x-request-id":"cc4c4f7769af90d63630bff7961ddbf5","x-real-ip":"X.X.X.X","x-forwarded-for":"X.X.X.X","x-forwarded-host":"my-kibana-url","x-forwarded-port":"80","x-forwarded-proto":"http","x-original-uri":"/searchguard/saml/acs","x-scheme":"http","content-length":"9795","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate","content-type":"application/x-www-form-urlencoded","origin":"null","upgrade-insecure-requests":"1"},"remoteAddress":"10.1.64.202","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0"},"res":{"statusCode":302,"responseTime":43,"contentLength":9},"message":"POST /searchguard/saml/acs 302 43ms - 9.0B"}
{"type":"response","@timestamp":"2021-02-23T17:00:54Z","tags":[],"pid":7,"method":"get","statusCode":200,"req":{"url":"/customerror?type=samlAuthError","method":"get","headers":{"host":"my-kibana-url","x-request-id":"e49216fe8a4f52bffc9c6757eeab38ec","x-real-ip":"X.X.X.X","x-forwarded-for":"X.X.X.X","x-forwarded-host":"my-kibana-url","x-forwarded-port":"80","x-forwarded-proto":"http","x-original-uri":"/customerror?type=samlAuthError","x-scheme":"http","user-agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8","accept-language":"es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3","accept-encoding":"gzip, deflate","upgrade-insecure-requests":"1"},"remoteAddress":"10.1.64.202","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0"},"res":{"statusCode":200,"responseTime":161,"contentLength":9},"message":"GET /customerror?type=samlAuthError 200 161ms - 9.0B"}

Errors should show up without modifying the logging level. Can you please also check the Elasticsearch logs for errors which appear during startup or while re-applying the configuration using sgadmin?

I`ve re-applied the configuration and no errors appears at sgadmin output or elasticsearch logs. Perhaps this note from SearchGuard clarify the problem:

image1171×229 13.8 KB

Based on that note, I can’t modify the SGS_ALL_ACCESS role because it is static.

How can I configure manually an admin role with the same perms than SGS_ALL_ACCESS?

@adminunix you can create a new role that has SGS_ALL_ACCESS permissions. Then create a mapping for it.

The SGS_ALL_ACCESS permissions are

{
  "description": "Allow full access to all indices and all cluster APIs",
  "cluster_permissions": [
    "*"
  ],
  "index_permissions": [
    {
      "allowed_actions": [
        "*"
      ],
      "index_patterns": [
        "*"
      ],
      "fls": [],
      "masked_fields": []
    }
  ],
  "tenant_permissions": [
    {
      "allowed_actions": [
        "*"
      ],
      "tenant_patterns": [
        "*"
      ]
    }
  ],
  "exclude_cluster_permissions": [],
  "exclude_index_permissions": []
}

You can create the role in sg_roles.yml, via REST API or do it in UI by cloning SGS_ALL_ACCESS.

Screenshot 2021-02-24 at 14.10.581875×605 43.9 KB

I have created a new admin role and I have added the user and the backend_role that comes with the SAML response:

MY_ADMIN_ROLE:
reserved: false
backend_roles:
- “cn=ADMIN,ou=Perfs,ou=ADBSADMIN,ou=App,o=imi”
users:
- “MY-SAML-USER”

But the error is still the same. It’s supposed that mapping the SAML user to the role everything has to work, right?

These are some logs of kibana:

{“type”:“log”,“@timestamp”:“2021-03-01T13:25:37Z”,“tags”:[“error”,“elasticsearch”,“data”],“pid”:7,“message”:“[ResponseError]: Response Error”}
{“type”:“log”,“@timestamp”:“2021-03-01T13:25:37Z”,“tags”:[“error”,“plugins”,“searchguard”,“searchguard-multitenancy"],“pid”:7,“message”:“Multitenancy: Could not get authinfo AuthenticationError: Response Error”}
{“type”:“log”,”@timestamp":“2021-03-01T13:25:41Z”,“tags”:[“error”,“plugins”,“searchguard”,“searchguard-auth”],“pid”:7,“message”:"SAML auth, failed to authorize: Error: The session cookie is absent.\n at router.

On idP side (Oracle Access Management), I have only configured the SP identifier and the kibana URL:
http://<kibana_base_url>:<kibana_port>/searchguard/saml/acs

The following is the role mapping.

MY_ADMIN_ROLE:
reserved: false
backend_roles:
- “cn=ADMIN,ou=Perfs,ou=ADBSADMIN,ou=App,o=imi”
users:
- “MY-SAML-USER”

Please show me your role. Do you see any error in Elasticsearch?

I have defined the role at sg_roles.yml with this config:

Elasticsearch logs doesn´t show any error although I have configured debug mode at log4j2.properties:

logger.token.name = com.floragunn.dlic.auth.http.saml.Token
logger.token.level = debug

Hello,

Any idea? I have tried a lot of settings with the saml response fields but the result is always the same:

kibana log:

“tags”:[“error”,“elasticsearch”,“data”],“pid”:7,“message”:“[ResponseError]: Response Error”}

Elasticsearch logs does not show any saml error.

I need to know more about your system.

1. SG version
2. Elastic version
3. kibana.yml

Elasticsearch logs does not show any saml error.

Is there any non-SAML error? Show me the Elasticsearch log if there is any error.

Enable debug in Kibana and try to authenticate again.
kibana.yml

searchguard.auth.debug: true

Show me the Kibana log.

I need to known if I can map a SAML role (included on IdP response at ‘ACL’ field) with the “SGS_ALL_ACCESS” built-in role to use my SAML user like an admin.

To have a SAML user as admin you need to do the following:

1. Create the admin role in IDP. For example, Keycloak
   

   

   Screenshot 2021-03-08 at 18.36.251464×762 58.6 KB

2. Create the user and map it to the admin role
   

   

   Screenshot 2021-03-08 at 18.36.431441×516 53.3 KB

3. That’s it, the user has the admin permissions, no extra config is needed. Navigate to Kibana and try to do things.

It works because the Search Guard holds the SGS_ALL_ACCESS role with all permissions. And there is the corresponding role mapping with the admin in the backend roles.

  "SGS_ALL_ACCESS" : {
    "reserved" : true,
    "hidden" : false,
    "backend_roles" : [
      "admin"
    ],
    "hosts" : [ ],
    "users" : [ ],
    "and_backend_roles" : [ ],
    "description" : "Maps admin to SGS_ALL_ACCESS"
  }

Hi,

• SG version: 7.10.0-48.0.0
• Elastic version: 7.10.0
• kibana.yml:

server.name: vigia-kibana-int
server.host: 0.0.0.0
elasticsearch.hosts: https://pod-elasticsearch-service:9200
xpack.security.enabled: false
searchguard.multitenancy.enabled: true
searchguard.accountinfo.enabled: true
searchguard.auth.type: "saml"

elasticsearch.requestHeadersWhitelist: [ "sgtenant", "Authorization" ]
elasticsearch.username: kibanaserver
elasticsearch.password: kibanaserver
elasticsearch.ssl.verificationMode: none

server.ssl.enabled: false

server.xsrf.whitelist: ["/searchguard/saml/acs", "/searchguard/saml/logout"]
searchguard.auth.debug: true
logging.verbose: false

Kibana Log only show these type of errors:

{“type”:“log”,“@timestamp”:“2021-03-01T13:25:37Z”,“tags”:[“error”,“elasticsearch”,“data”],“pid”:7,“message”:“[ResponseError]: Response Error “}
{“type”:“log”,”@timestamp”:“2021-03-01T13:25:37Z”,“tags”:[“error”,“plugins”,“searchguard”,“searchguard-multitenancy"],“pid”:7,“message”:“Multitenancy: Could not get authinfo AuthenticationError: Response Error”}
{“type”:“log”,”@timestamp":“2021-03-01T13:25:41Z”,“tags”:[“error”,“plugins”,“searchguard”,“searchguard-auth”],“pid”:7,“message”:"SAML auth, failed to authorize: Error: The session cookie is absent.\n at router .

IdP is Oracle Access Management (OAM). I have checked the requests and responses between OAM and kibana and everything seems correct because OAM sends SAML response to “http://my-kibana-url/searchguard/saml/acs”.
At this point, something is wrong because kibana always redirect to “http://my-kibana-url//customerror?type=samlAuthError”

image968×368 20.9 KB

My admin role is a copy of SGS_ALL_ACCESS:

I have mapped the content of the ACL field that comes with the saml response:

MY_ADMIN_ROLE:
reserved: false
backend_roles:
- “cn=ADMIN,ou=Perfils,ou=IDJSMSADMIN,ou=App,o=imi”

It is correct all the above settings?

Another thing that I want to comment is that the Searchguard Trial License is now expired.
I was tested the same config when the license was valid, but the results were the same.

I know that SAML feature requires license but, can I test saml authentication with the expired license at develop environment?

It is required to set the isSameSite=None to enable Kibana to send the cookie in a third-party context. The setting requires HTTPS.
kibana.yml

searchguard.cookie.isSameSite: None
searchguard.cookie.secure: true

Trial License is now expired

Download the SG and setup it again.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.