SAML config error

Hi Team

I have issue when setting up SAML login for kibana, my kibana is behind traefik proxy and getting "Internal server error`, whereas basic auth works fine for me.

sg_config:

      authc:
        basic_internal_auth_domain:
          description: "Authenticate via HTTP Basic against internal users database"
          http_enabled: true
          transport_enabled: true
          order: 1
          http_authenticator:
            type: basic
            challenge: true
          authentication_backend:
            type: intern
        saml_auth_idp:
          description: "SAML Auth"
          http_enabled: true
          order: 0
          http_authenticator:
            type: 'saml'
            challenge: true
            config:
              idp:
                metadata_url: "<\metadata_url>"
                entity_id: "<\idp_entity_id>"
              sp:
                entity_id: "https://<\service_fqdn>/saml"
              kibana_url: "https://<\service_fqdn>"
              subject_key: "email"
              roles_key: "Roles"
              exchange_key: "key"
          authentication_backend:
            type: noop
      authz:

kibana.yml

searchguard.multitenancy.enabled: true

### SAML Auth
searchguard.auth.type: "saml"
searchguard.auth.debug: true
searchguard.cookie.secure: true
searchguard.cookie.isSameSite: None
server.xsrf.whitelist: ["/searchguard/saml/acs", "/searchguard/saml/logout"]

Error- on browser

500 Internal server error

https://service_fqdn/auth/saml/login?nextUrl=%2F

Error - on kibana server

{“type”:“log”,"@timestamp":“2021-03-30T16:59:51Z”,“tags”:[“error”,“http”],“pid”:7,“message”:“Error: expected ‘location’ header to be set\n at HapiResponseAdapter.toRedirect (/usr/share/kibana/src/core/server/http/router/response_adapter.js:112:13)\n at HapiResponseAdapter.toHapiResponse (/usr/share/kibana/src/core/server/http/router/response_adapter.js:94:19)\n at HapiResponseAdapter.handle (/usr/share/kibana/src/core/server/http/router/response_adapter.js:81:17)\n at Router.handle (/usr/share/kibana/src/core/server/http/router/router.js:164:34)\n at process._tickCallback (internal/process/next_tick.js:68:7)”}

“type”:“error”,"@timestamp":“2021-03-30T16:59:51Z”,“tags”:,“pid”:7,“level”:“error”,“error”:{“message”:“Internal Server Error”,“name”:“Error”,“stack”:“Error: Internal Server Error\n at HapiResponseAdapter.toInternalError (/usr/share/kibana/src/core/server/http/router/response_adapter.js:69:19)\n at Router.handle (/usr/share/kibana/src/core/server/http/router/router.js:177:34)\n at process._tickCallback (internal/process/next_tick.js:68:7)”},“url”:{“protocol”:null,“slashes”:null,“auth”:null,“host”:null,“port”:null,“hostname”:null,“hash”:null,“search”:"?nextUrl=%2F",“query”:{“nextUrl”:"/"},“pathname”:"/auth/saml/login",“path”:"/auth/saml/login?nextUrl=%2F",“href”:"/auth/saml/login?nextUrl=%2F"},“message”:“Internal Server Error”}

Hi. What SG version is it?

I see a couple of problems:

  1. The basic_internal_auth_domain must always have order=0. In sg_config, make basic_internal_auth_domain order=0 and saml_auth_idp order=1.

  2. You need to whitelist some headers to make multitenancy work.

kibana.yml

elasticsearch.requestHeadersWhitelist: ["sgtenant", "authorization", "X-Forwarded-For", "x-proxy-user", "x-proxy-roles", "urltoken"]

Thansk for your response @srgbnd,

I did the change to sg_config, kibana.yml ; issue still persist

{"type":"error","@timestamp":"2021-03-31T11:30:01Z","tags":[],"pid":8,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n at HapiResponseAdapter.toInternalError (/usr/share/kibana/src/core/server/http/router/response_adapter.js:69:19)\n at Router.handle (/usr/share/kibana/src/core/server/http/router/router.js:177:34)\n at process._tickCallback (internal/process/next_tick.js:68:7)"},"url":{"protocol":null,"slashes":null,"auth":null,"host":null,"port":null,"hostname":null,"hash":null,"search":"?nextUrl=%2F","query":{"nextUrl":"/"},"pathname":"/auth/saml/login","path":"/auth/saml/login?nextUrl=%2F","href":"/auth/saml/login?nextUrl=%2F"},"message":"Internal Server Error"}

ES version: 7.10.2
Kibana verson: 7.10.2
SG Kibana : 49.1.0

Read the SAML troubleshooting guide and check whether you have the main settings in order.

If the guide doesn’t help, I need more data from you to troubleshoot the issue.

I see you have the debug enabled. Could you please share the entire log, both Kibana and Elasticsearch? Attention!!! You have the credentials in the log. Obfuscate the data if you share it here. Also, you can send me the logs privately in the direct message.

Also, share all the configuration files that you updated.

Hi @srgbnd ,

I have sent the config details to you via DM.