SAML Configuration Error

Search Guard
1

I have been trying to get SAML configured for search guard and Kibana but I just keep running into the error on kibana that something is wrong with the configuration. No log entries getting generated at all to help me.

My Elasticsearch config files are located in /etc/elasticsearch and so I put the okta.xml file in /etc/elasticsearch/okta.xml

enterprise modules are enabled as well

sg_config.yml file:
authc:
basic_internal_auth_domain:
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
saml_auth_domain_okta:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: ‘saml’
challenge: true
config:
idp:
metadata_file: okta.xml
entity_id: http://www.okta.com/hdd
sp:
entity_id: kibana-saml
kibana_url: https://myserver.domain
roles_key: role
exchange_key: ‘sthaia…’
authentication_backend:
type: noop

Kibana Config:
searchguard.auth.type: “saml”
server.xsrf.whitelist: [“/searchguard/saml/acs/idpinitiated”, “/searchguard/saml/acs”, “/searchguard/saml/logout”]

2

Figured I should update to the latest minor point upgrade which I just did so running
Elk 6.82 with the plugin version 25.4 and 18.5

3

Could this any chance have an issue with permissions on the okta.xml file that it needs to read?

4

If there is a permission error while reading the okta.xml file, this should result in an entry in the ES logs.

What is the exact error message that you are seeing?

Also, can you try to set the log level for SG to debug, reproduce the error, and post the logfile here?

6

This is the error that I see:
image

Here is the log file can’t find anything in there that looks to be a cause:

[2019-08-27T09:49:19,207][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] ### evaluate permissions for User [name=logstash, roles=[logstash], requestedTenant=null] on ElkServer
[2019-08-27T09:49:19,207][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] action: indices:data/write/bulk[s] (BulkShardRequest)
[2019-08-27T09:49:19,207][DEBUG][c.f.s.r.IndexResolverReplacer] [ElkServer] Resolve aliases, indices and types from BulkShardRequest
[2019-08-27T09:49:19,207][DEBUG][c.f.s.r.IndexResolverReplacer] [ElkServer] Resolved pattern [windows-2019.08.27] to [windows-2019.08.27]
[2019-08-27T09:49:19,207][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requestedResolved : Resolved [aliases=, indices=[windows-2019.08.27], allIndices=[windows-2019.08.27], types=[doc], originalRequested=[windows-2019.08.27], remoteIndices=]
[2019-08-27T09:49:19,207][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Additional permissions required: [indices:data/write/index, indices:data/write/bulk[s]]
[2019-08-27T09:49:19,207][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requested [indices:data/write/index, indices:data/write/bulk[s]] from 10.10.10.10:59360
[2019-08-27T09:49:19,207][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requested resolved indextypes: Resolved [aliases=, indices=[windows-2019.08.27], allIndices=[windows-2019.08.27], types=[doc], originalRequested=[windows-2019.08.27], remoteIndices=]
[2019-08-27T09:49:19,207][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] sgr: sg_own_index
[2019-08-27T09:49:19,207][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] [ElkServer] raw requestedTenant: ‘null’
[2019-08-27T09:49:19,207][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Result from privileges interceptor: null
[2019-08-27T09:49:19,207][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Allowed because we have all indices permissions for indices:data/write/bulk[s]
[2019-08-27T09:49:19,207][DEBUG][c.f.s.f.SearchGuardFilter] [ElkServer] PrivEvalResponse [allowed=true, missingPrivileges=[indices:data/write/index, indices:data/write/bulk[s]], allowedFlsFields=null, maskedFields=null, queries=null]
[2019-08-27T09:49:19,207][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] ### evaluate permissions for User [name=logstash, roles=[logstash], requestedTenant=null] on ElkServer
[2019-08-27T09:49:19,207][DEBUG][c.f.s.r.IndexResolverReplacer] [ElkServer] Resolved pattern [windows-2019.08.27] to [windows-2019.08.27]
[2019-08-27T09:49:19,207][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Result from privileges interceptor: null
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requestedResolved : Resolved [aliases=, indices=[windows-2019.08.27], allIndices=[windows-2019.08.27], types=[doc], originalRequested=[windows-2019.08.27], remoteIndices=]
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Additional permissions required: [indices:data/write/index, indices:data/write/bulk[s]]
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requested [indices:data/write/index, indices:data/write/bulk[s]] from 10.10.10.10:59362
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requested resolved indextypes: Resolved [aliases=, indices=[windows-2019.08.27], allIndices=[windows-2019.08.27], types=[doc], originalRequested=[windows-2019.08.27], remoteIndices=]
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] sgr: sg_own_index
[2019-08-27T09:49:19,208][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] [ElkServer] raw requestedTenant: ‘null’
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Result from privileges interceptor: null
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Allowed because we have all indices permissions for indices:data/write/bulk[s]
[2019-08-27T09:49:19,208][DEBUG][c.f.s.f.SearchGuardFilter] [ElkServer] PrivEvalResponse [allowed=true, missingPrivileges=[indices:data/write/index, indices:data/write/bulk[s]], allowedFlsFields=null, maskedFields=null, queries=null]
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Allowed because we have all indices permissions for indices:data/write/bulk[s]
[2019-08-27T09:49:19,208][DEBUG][c.f.s.f.SearchGuardFilter] [ElkServer] PrivEvalResponse [allowed=true, missingPrivileges=[indices:data/write/index, indices:data/write/bulk[s]], allowedFlsFields=null, maskedFields=null, queries=null]
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] action: indices:data/write/bulk (BulkRequest)
[2019-08-27T09:49:19,208][DEBUG][c.f.s.r.IndexResolverReplacer] [ElkServer] Resolve aliases, indices and types from BulkRequest
[2019-08-27T09:49:19,208][DEBUG][c.f.s.r.IndexResolverReplacer] [ElkServer] Resolved pattern [windows-2019.08.27] to [windows-2019.08.27]
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requestedResolved : Resolved [aliases=, indices=[windows-2019.08.27], allIndices=[windows-2019.08.27], types=[doc], originalRequested=[windows-2019.08.27], remoteIndices=]
[2019-08-27T09:49:19,208][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] [ElkServer] raw requestedTenant: ‘null’
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Result from privileges interceptor for cluster perm: null
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Allowed because we have cluster permissions for indices:data/write/bulk
[2019-08-27T09:49:19,208][DEBUG][c.f.s.f.SearchGuardFilter] [ElkServer] PrivEvalResponse [allowed=true, missingPrivileges=, allowedFlsFields=null, maskedFields=null, queries=null]
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] ### evaluate permissions for User [name=logstash, roles=[logstash], requestedTenant=null] on ElkServer
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] action: indices:data/write/bulk[s] (BulkShardRequest)
[2019-08-27T09:49:19,208][DEBUG][c.f.s.r.IndexResolverReplacer] [ElkServer] Resolve aliases, indices and types from BulkShardRequest
[2019-08-27T09:49:19,208][DEBUG][c.f.s.r.IndexResolverReplacer] [ElkServer] Resolved pattern [windows-2019.08.27] to [windows-2019.08.27]
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requestedResolved : Resolved [aliases=, indices=[windows-2019.08.27], allIndices=[windows-2019.08.27], types=[doc], originalRequested=[windows-2019.08.27], remoteIndices=]
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Additional permissions required: [indices:data/write/index, indices:data/write/bulk[s]]
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requested [indices:data/write/index, indices:data/write/bulk[s]] from 10.10.10.10:59354
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requested resolved indextypes: Resolved [aliases=, indices=[windows-2019.08.27], allIndices=[windows-2019.08.27], types=[doc], originalRequested=[windows-2019.08.27], remoteIndices=]
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] sgr: sg_own_index
[2019-08-27T09:49:19,208][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] [ElkServer] raw requestedTenant: ‘null’
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Result from privileges interceptor: null
[2019-08-27T09:49:19,208][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Allowed because we have all indices permissions for indices:data/write/bulk[s]
[2019-08-27T09:49:19,208][DEBUG][c.f.s.f.SearchGuardFilter] [ElkServer] PrivEvalResponse [allowed=true, missingPrivileges=[indices:data/write/index, indices:data/write/bulk[s]], allowedFlsFields=null, maskedFields=null, queries=null]
[2019-08-27T09:49:19,210][DEBUG][c.f.s.a.BackendRegistry ] [ElkServer] User ‘User [name=logstash, roles=[logstash], requestedTenant=null]’ is authenticated
[2019-08-27T09:49:19,210][DEBUG][c.f.s.a.BackendRegistry ] [ElkServer] sgtenant ‘null’
[2019-08-27T09:49:19,210][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] ### evaluate permissions for User [name=logstash, roles=[logstash], requestedTenant=null] on ElkServer
[2019-08-27T09:49:19,210][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] action: indices:data/write/bulk (BulkRequest)
[2019-08-27T09:49:19,210][DEBUG][c.f.s.r.IndexResolverReplacer] [ElkServer] Resolve aliases, indices and types from BulkRequest
[2019-08-27T09:49:19,210][DEBUG][c.f.s.r.IndexResolverReplacer] [ElkServer] Resolved pattern [windows-2019.08.27] to [windows-2019.08.27]
[2019-08-27T09:49:19,210][DEBUG][c.f.s.r.IndexResolverReplacer] [ElkServer] Resolved pattern [windows-2019.08.27] to [windows-2019.08.27]
[2019-08-27T09:49:19,210][DEBUG][c.f.s.r.IndexResolverReplacer] [ElkServer] Resolved pattern [windows-2019.08.27] to [windows-2019.08.27]
[2019-08-27T09:49:19,210][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requestedResolved : Resolved [aliases=, indices=[windows-2019.08.27], allIndices=[windows-2019.08.27], types=[doc], originalRequested=[windows-2019.08.27], remoteIndices=]
[2019-08-27T09:49:19,210][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] [ElkServer] raw requestedTenant: ‘null’
[2019-08-27T09:49:19,210][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Result from privileges interceptor for cluster perm: null
[2019-08-27T09:49:19,210][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Allowed because we have cluster permissions for indices:data/write/bulk
[2019-08-27T09:49:19,210][DEBUG][c.f.s.f.SearchGuardFilter] [ElkServer] PrivEvalResponse [allowed=true, missingPrivileges=, allowedFlsFields=null, maskedFields=null, queries=null]
[2019-08-27T09:49:19,210][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] ### evaluate permissions for User [name=logstash, roles=[logstash], requestedTenant=null] on ElkServer
[2019-08-27T09:49:19,210][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] action: indices:data/write/bulk[s] (BulkShardRequest)
[2019-08-27T09:49:19,210][DEBUG][c.f.s.r.IndexResolverReplacer] [ElkServer] Resolve aliases, indices and types from BulkShardRequest
[2019-08-27T09:49:19,210][DEBUG][c.f.s.r.IndexResolverReplacer] [ElkServer] Resolved pattern [windows-2019.08.27] to [windows-2019.08.27]
[2019-08-27T09:49:19,210][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requestedResolved : Resolved [aliases=, indices=[windows-2019.08.27], allIndices=[windows-2019.08.27], types=[doc], originalRequested=[windows-2019.08.27], remoteIndices=]
[2019-08-27T09:49:19,210][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Additional permissions required: [indices:data/write/index, indices:data/write/bulk[s]]
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requested [indices:data/write/index, indices:data/write/bulk[s]] from 10.10.10.10:59366
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requested resolved indextypes: Resolved [aliases=, indices=[windows-2019.08.27], allIndices=[windows-2019.08.27], types=[doc], originalRequested=[windows-2019.08.27], remoteIndices=]
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] sgr: sg_own_index
[2019-08-27T09:49:19,211][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] [ElkServer] raw requestedTenant: ‘null’
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Result from privileges interceptor: null
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Allowed because we have all indices permissions for indices:data/write/bulk[s]
[2019-08-27T09:49:19,211][DEBUG][c.f.s.f.SearchGuardFilter] [ElkServer] PrivEvalResponse [allowed=true, missingPrivileges=[indices:data/write/index, indices:data/write/bulk[s]], allowedFlsFields=null, maskedFields=null, queries=null]
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] ### evaluate permissions for User [name=logstash, roles=[logstash], requestedTenant=null] on ElkServer
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] action: indices:data/write/bulk[s] (BulkShardRequest)
[2019-08-27T09:49:19,211][DEBUG][c.f.s.r.IndexResolverReplacer] [ElkServer] Resolve aliases, indices and types from BulkShardRequest
[2019-08-27T09:49:19,211][DEBUG][c.f.s.r.IndexResolverReplacer] [ElkServer] Resolved pattern [windows-2019.08.27] to [windows-2019.08.27]
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requestedResolved : Resolved [aliases=, indices=[windows-2019.08.27], allIndices=[windows-2019.08.27], types=[doc], originalRequested=[windows-2019.08.27], remoteIndices=]
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Additional permissions required: [indices:data/write/index, indices:data/write/bulk[s]]
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requested [indices:data/write/index, indices:data/write/bulk[s]] from 10.10.10.10:59366
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requested resolved indextypes: Resolved [aliases=, indices=[windows-2019.08.27], allIndices=[windows-2019.08.27], types=[doc], originalRequested=[windows-2019.08.27], remoteIndices=]
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] sgr: sg_own_index
[2019-08-27T09:49:19,211][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] [ElkServer] raw requestedTenant: ‘null’
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Result from privileges interceptor: null
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Allowed because we have all indices permissions for indices:data/write/bulk[s]
[2019-08-27T09:49:19,211][DEBUG][c.f.s.f.SearchGuardFilter] [ElkServer] PrivEvalResponse [allowed=true, missingPrivileges=[indices:data/write/index, indices:data/write/bulk[s]], allowedFlsFields=null, maskedFields=null, queries=null]
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] ### evaluate permissions for User [name=logstash, roles=[logstash], requestedTenant=null] on ElkServer
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] action: indices:data/write/bulk[s] (BulkShardRequest)
[2019-08-27T09:49:19,211][DEBUG][c.f.s.r.IndexResolverReplacer] [ElkServer] Resolve aliases, indices and types from BulkShardRequest
[2019-08-27T09:49:19,211][DEBUG][c.f.s.r.IndexResolverReplacer] [ElkServer] Resolved pattern [windows-2019.08.27] to [windows-2019.08.27]
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requestedResolved : Resolved [aliases=, indices=[windows-2019.08.27], allIndices=[windows-2019.08.27], types=[doc], originalRequested=[windows-2019.08.27], remoteIndices=]
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Additional permissions required: [indices:data/write/index, indices:data/write/bulk[s]]
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requested [indices:data/write/index, indices:data/write/bulk[s]] from 10.10.10.10:59366
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] requested resolved indextypes: Resolved [aliases=, indices=[windows-2019.08.27], allIndices=[windows-2019.08.27], types=[doc], originalRequested=[windows-2019.08.27], remoteIndices=]
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] sgr: sg_own_index
[2019-08-27T09:49:19,211][DEBUG][c.f.s.c.PrivilegesInterceptorImpl] [ElkServer] raw requestedTenant: ‘null’
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Result from privileges interceptor: null
[2019-08-27T09:49:19,211][DEBUG][c.f.s.p.PrivilegesEvaluator] [ElkServer] Allowed because we have all indices permissions for indices:data/write/bulk[s]
[

7

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.