SAML authentication not working with Kibana

Hi,

The SAML integration of kibana and elasticsearch with OKTA doesn’t seem to be working. I keep getting redirected to customerror?type=samlConfigError#?_g=() or to this /customerror?type=samlAuthError#?_g=() .

I have enabled debug log in the elasticsearch machine and logs being generated:

'org.apache.cxf.rs.security.jose.jws.JwsException: INVALID_COMPACT_JWS' extracting credentials from saml http authenticator
	at com.floragunn.dlic.auth.http.saml.HTTPSamlAuthenticator.extractCredentials(HTTPSamlAuthenticator.java:135) 

The kibana is running on a different server and the Single sign on URL added in the OKTA app is being proxy passed through a nginx machine.

Does the kibana_url in the below config.yml need to be the same one in OKTA or should I pass the FQDN of the kibana machine?

Here is the sg_config.yml file:

 saml:
       enabled: true
       order: 1
       http_authenticator:
         type: saml
         challenge: true
         config:
           idp:
             metadata_file: metadata.xml
             entity_id: http://www.okta.com/3jnkj3nlwj3nlekn3lkn2
           sp:
             entity_id: kibana-saml
           roles_key: 'Roles'
           kibana_url: https://kibana-node-1:5601
           exchange_key: 'asd4nlksanflkanl3k2nlknlk'
       authentication_backend:
         type: noop

In the kibana.yml I have added these two blocks as well.

searchguard.auth.type: "saml"

server.xsrf.whitelist: ["/searchguard/saml/acs/idpinitiated", "/searchguard/saml/acs", "/searchguard/saml/logout"]

Also the logs being generated in the kibana machine are not helpful.

Any ideas as to what can cause this issue?

Does the kibana_url in the below config.yml need to be the same one in OKTA or should I pass the FQDN of the kibana machine?

After you log in to your IdP (OKTA), it will issue an HTTP POST back to Kibana containing the SAML Response. Thus in kibana_url, you need to put the base URL of your Kibana installation. This URL must be accessible by OKTA. Make sure your network passes TCP 5601 data connection to the Kibana server.

Also, please read this troubleshooting doc https://docs.search-guard.com/latest/troubleshooting-saml#saml-troubleshooting

If the things above didn’t help, we need more data from you to be able to investigate the issue deeply:

  • sg_config.yml
  • kibana.yml
  • elasticsearch.yml
  • Nginx logs. Try to authenticate, go to Nginx logs, and copy the logs.
  • Kibana logs. Put logging.verbose: true to kibana.yml, try to authenticate, go to Kibana logs, and copy the logs.
  • Elasticsearch logs.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.