Hi,
The SAML integration of kibana and elasticsearch with OKTA doesn’t seem to be working. I keep getting redirected to customerror?type=samlConfigError#?_g=() or to this /customerror?type=samlAuthError#?_g=() .
I have enabled debug log in the elasticsearch machine and logs being generated:
'org.apache.cxf.rs.security.jose.jws.JwsException: INVALID_COMPACT_JWS' extracting credentials from saml http authenticator
at com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticator.extractCredentials(HTTPSamlAuthenticator.java:135)
The kibana is running on a different server and the Single sign on URL added in the OKTA app is being proxy passed through a nginx machine.
Does the kibana_url in the below config.yml need to be the same one in OKTA or should I pass the FQDN of the kibana machine?
Here is the sg_config.yml file:
saml:
enabled: true
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: metadata.xml
entity_id: http://www.okta.com/3jnkj3nlwj3nlekn3lkn2
sp:
entity_id: kibana-saml
roles_key: 'Roles'
kibana_url: https://kibana-node-1:5601
exchange_key: 'asd4nlksanflkanl3k2nlknlk'
authentication_backend:
type: noop
In the kibana.yml I have added these two blocks as well.
searchguard.auth.type: "saml"
server.xsrf.whitelist: ["/searchguard/saml/acs/idpinitiated", "/searchguard/saml/acs", "/searchguard/saml/logout"]
Also the logs being generated in the kibana machine are not helpful.
Any ideas as to what can cause this issue?