Issues configuring SAML authentication

Search Guard
10

Thank you! I’ve read that post multiple times, and this is the first time I’ve noticed the comment that sp.entity_id may be the same as <Audience /> in the response. I observed that there is a typo in the <Audience /> in the response. Still not successfully logging in, but now I’m getting a slightly different response. I will post further updates as I have them.

Ahh. I misread the docs. Please accept this as a +1 for this feature!!!

Updates

2020-07-09 12:01:00-0500

When I attempt to do an IDP-initiated login with searchguard.auth.debug: true in kibana.yml, I can now see the expected response content coming back from the SAML provider when I’m doing an IDP-initiated login. However, it still doesn’t actually log me in (see XML, below, which was taken and decoded from the log line immediately above it). But I’m not seeing anything when I attempt to initiate a SAML login by going to Kibana.

Log entry

{"type":"response","@timestamp":"2020-07-09T17:10:48Z","tags":[],"pid":6,"method":"get","statusCode":302,"req":{"url":"/searchguard/saml/acs?SAMLResponse=...","method":"get","headers":{"host":"elk.dev.example.com","connection":"keep-alive","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","sec-fetch-site":"none","sec-fetch-mode":"navigate","sec-fetch-dest":"document","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9"},"remoteAddress":"10.229.91.149","userAgent":"10.229.91.149"},"res":{"statusCode":302,"responseTime":2,"contentLength":9},"message":"GET /searchguard/saml/acs?SAMLResponse=...&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256 302 2ms - 9.0B"}

SAML Response

<samlp:Response Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" Destination="https://elk.dev.example.com/searchguard/saml/acs" ID="_769a7a29-06ca-4e39-940a-52e91f6cd23b" IssueInstant="2020-07-09T16:21:26.210Z" Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://ifs.example.com/adfs/services/trust</Issuer>
    <samlp:Status>
        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
    </samlp:Status>
    <Assertion ID="_20f3a6f5-0998-4f8c-931b-d11360f37815" IssueInstant="2020-07-09T16:21:26.210Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <Issuer>http://ifs.example.com/adfs/services/trust</Issuer>
        <Subject>
            <NameID>me@example.com</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData NotOnOrAfter="2020-07-09T16:26:26.210Z" Recipient="https://elk.dev.example.com/searchguard/saml/acs"/>
            </SubjectConfirmation>
        </Subject>
        <Conditions NotBefore="2020-07-09T16:21:26.210Z" NotOnOrAfter="2020-07-09T17:21:26.210Z">
            <AudienceRestriction>
                <Audience>https://elk.dev.example.com/kibana</Audience>
            </AudienceRestriction>
        </Conditions>
        <AttributeStatement>
            <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
                <AttributeValue>SG_ADMIN</AttributeValue>
                <AttributeValue>SG_USER</AttributeValue>
            </Attribute>
        </AttributeStatement>
        <AuthnStatement AuthnInstant="2020-07-09T14:34:59.445Z" SessionIndex="_20f3a6f5-0998-4f8c-931b-d11360f37815">
            <AuthnContext>
                <AuthnContextClassRef>urn:federation:authentication:windows</AuthnContextClassRef>
            </AuthnContext>
        </AuthnStatement>
    </Assertion>
</samlp:Response>