SAML authentication not working with Kibana


The SAML integration of kibana and elasticsearch with OKTA doesn’t seem to be working. I keep getting redirected to customerror?type=samlConfigError#?_g=() or to this /customerror?type=samlAuthError#?_g=() .

I have enabled debug log in the elasticsearch machine and logs being generated:

' INVALID_COMPACT_JWS' extracting credentials from saml http authenticator
	at com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticator.extractCredentials( 

The kibana is running on a different server and the Single sign on URL added in the OKTA app is being proxy passed through a nginx machine.

Does the kibana_url in the below config.yml need to be the same one in OKTA or should I pass the FQDN of the kibana machine?

Here is the sg_config.yml file:

       enabled: true
       order: 1
         type: saml
         challenge: true
             metadata_file: metadata.xml
             entity_id: kibana-saml
           roles_key: 'Roles'
           kibana_url: https://kibana-node-1:5601
           exchange_key: 'asd4nlksanflkanl3k2nlknlk'
         type: noop

In the kibana.yml I have added these two blocks as well.

searchguard.auth.type: "saml"

server.xsrf.whitelist: ["/searchguard/saml/acs/idpinitiated", "/searchguard/saml/acs", "/searchguard/saml/logout"]

Also the logs being generated in the kibana machine are not helpful.

Any ideas as to what can cause this issue?