SAML config error

Search Guard
1

Hi Team

I have issue when setting up SAML login for kibana, my kibana is behind traefik proxy and getting "Internal server error`, whereas basic auth works fine for me.

sg_config:

      authc:
        basic_internal_auth_domain:
          description: "Authenticate via HTTP Basic against internal users database"
          http_enabled: true
          transport_enabled: true
          order: 1
          http_authenticator:
            type: basic
            challenge: true
          authentication_backend:
            type: intern
        saml_auth_idp:
          description: "SAML Auth"
          http_enabled: true
          order: 0
          http_authenticator:
            type: 'saml'
            challenge: true
            config:
              idp:
                metadata_url: "<\metadata_url>"
                entity_id: "<\idp_entity_id>"
              sp:
                entity_id: "https://<\service_fqdn>/saml"
              kibana_url: "https://<\service_fqdn>"
              subject_key: "email"
              roles_key: "Roles"
              exchange_key: "key"
          authentication_backend:
            type: noop
      authz:

kibana.yml

searchguard.multitenancy.enabled: true

### SAML Auth
searchguard.auth.type: "saml"
searchguard.auth.debug: true
searchguard.cookie.secure: true
searchguard.cookie.isSameSite: None
server.xsrf.whitelist: ["/searchguard/saml/acs", "/searchguard/saml/logout"]

Error- on browser

500 Internal server error

https://service_fqdn/auth/saml/login?nextUrl=%2F

Error - on kibana server

{“type”:“log”,“@timestamp”:“2021-03-30T16:59:51Z”,“tags”:[“error”,“http”],“pid”:7,“message”:“Error: expected ‘location’ header to be set\n at HapiResponseAdapter.toRedirect (/usr/share/kibana/src/core/server/http/router/response_adapter.js:112:13)\n at HapiResponseAdapter.toHapiResponse (/usr/share/kibana/src/core/server/http/router/response_adapter.js:94:19)\n at HapiResponseAdapter.handle (/usr/share/kibana/src/core/server/http/router/response_adapter.js:81:17)\n at Router.handle (/usr/share/kibana/src/core/server/http/router/router.js:164:34)\n at process._tickCallback (internal/process/next_tick.js:68:7)”}

“type”:“error”,“@timestamp”:“2021-03-30T16:59:51Z”,“tags”:,“pid”:7,“level”:“error”,“error”:{“message”:“Internal Server Error”,“name”:“Error”,“stack”:“Error: Internal Server Error\n at HapiResponseAdapter.toInternalError (/usr/share/kibana/src/core/server/http/router/response_adapter.js:69:19)\n at Router.handle (/usr/share/kibana/src/core/server/http/router/router.js:177:34)\n at process._tickCallback (internal/process/next_tick.js:68:7)”},“url”:{“protocol”:null,“slashes”:null,“auth”:null,“host”:null,“port”:null,“hostname”:null,“hash”:null,“search”:“?nextUrl=%2F”,“query”:{“nextUrl”:“/”},“pathname”:“/auth/saml/login”,“path”:“/auth/saml/login?nextUrl=%2F”,“href”:“/auth/saml/login?nextUrl=%2F”},“message”:“Internal Server Error”}

2

Hi. What SG version is it?

I see a couple of problems:

  1. The basic_internal_auth_domain must always have order=0. In sg_config, make basic_internal_auth_domain order=0 and saml_auth_idp order=1.

  2. You need to whitelist some headers to make multitenancy work.

kibana.yml

elasticsearch.requestHeadersWhitelist: ["sgtenant", "authorization", "X-Forwarded-For", "x-proxy-user", "x-proxy-roles", "urltoken"]
3

Thansk for your response @srgbnd,

I did the change to sg_config, kibana.yml ; issue still persist

{"type":"error","@timestamp":"2021-03-31T11:30:01Z","tags":[],"pid":8,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n at HapiResponseAdapter.toInternalError (/usr/share/kibana/src/core/server/http/router/response_adapter.js:69:19)\n at Router.handle (/usr/share/kibana/src/core/server/http/router/router.js:177:34)\n at process._tickCallback (internal/process/next_tick.js:68:7)"},"url":{"protocol":null,"slashes":null,"auth":null,"host":null,"port":null,"hostname":null,"hash":null,"search":"?nextUrl=%2F","query":{"nextUrl":"/"},"pathname":"/auth/saml/login","path":"/auth/saml/login?nextUrl=%2F","href":"/auth/saml/login?nextUrl=%2F"},"message":"Internal Server Error"}

ES version: 7.10.2
Kibana verson: 7.10.2
SG Kibana : 49.1.0

4

Read the SAML troubleshooting guide and check whether you have the main settings in order.

If the guide doesn’t help, I need more data from you to troubleshoot the issue.

I see you have the debug enabled. Could you please share the entire log, both Kibana and Elasticsearch? Attention!!! You have the credentials in the log. Obfuscate the data if you share it here. Also, you can send me the logs privately in the direct message.

Also, share all the configuration files that you updated.

5

Hi @srgbnd ,

I have sent the config details to you via DM.

6

In the private message I see:

ES Logs
No Errors on ES.

Please put the following two lines in the Elasticsearch log4j2.properties file, try to authenticate and post the entire log here on the forum.

logger.token.name = com.floragunn.dlic.auth.http.saml.Token
logger.token.level = debug

Also, I see only five messages in the Kibana log you sent me. You should have a lot more because you have the searchguard.auth.debug: true. Try to authenticate and post the entire Kibana log.

Did you read Read the SAML troubleshooting guide? Are the main settings in order?

P.S.
Obfuscate the sensitive data before posting here. Better post the logs here in the forum to allow others from the community to answer your question.

7

@srgbnd Thanks for your mail.
I tried to enable logs and see no log data for SAML auth, where when I test SAML using IDP initiated I get “SAML Auth Error”. I will scale down the cluster to single node to get appropriate logs, have multiple containers causes confusion.

I need some time to spin up new cluster and to retirve it.

8

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.