I have configured two SAML authentication domains ( saml_auth_domain_1, saml_auth_domain_2).
domain_1 (order:1 ) SAML authentication working fine, but when try to authenticate with domain_2 ( order:2) it is failing. SAML response is always validating with the order:1 configuration, so authentication failing.
Can you please help me if I am missing any configuration ?
[2020-07-07T10:39:31,100][ERROR][c.o.s.a.SamlResponse ] [d2e2a24b5dae] Invalid issuer in the Assertion/Response. Was ‘http://www.okta.com/exk2a5dqy6V91kXy24x6’, but expected ‘http://www.okta.com/exk5gkh4nXCGhGIkc4x6’
[2020-07-07T10:39:31,101][WARN ][c.a.d.a.h.s.AuthTokenProcessorHandler] [d2e2a24b5dae] Error while validating SAML response in /_opendistro/_security/api/authtoken
SAML response for domain_2 authentication contains ( entity_id: http://www.okta.com/exk2a5dqy6V91kXy24x6 ) but this response got compared with domain_1 entity_id , not with the domain_2. so the validation is failing.
saml_auth_domain_1:
description: “Authenticate via SAML”
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: okta.xml
entity_id: http://www.okta.com/exk5gkh4nXCGhGIkc4x6
sp:
entity_id: kibana_saml
kibana_url: http://KIBANA_URL/
roles_key: Role
exchange_key: ‘mnbvczlkjhgfdsapoiuytrewqqwertonjklhgfrt’
authentication_backend:
type: noop
saml_auth_domain_2:
description: “Authenticate via SAML”
http_enabled: true
transport_enabled: false
order: 2
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: okta_2.xml
entity_id: http://www.okta.com/exk2a5dqy6V91kXy24x6
sp:
entity_id: kibana_saml
kibana_url: http://KIBANA_URL/
roles_key: Role
exchange_key: ‘asdfghjklmnbvczxqwertyuioplkiujhytgfredws’
authentication_backend:
type: noop