Hi,
I’ve enabled a Search Guard license and am seeing the following in the Elasticsearch logs.
org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer
WARNING: Compact JWS does not have 3 parts
What could be causing that error? I’m trying to enable SAML logins to Elasticsearch. I’m receiving an error from Google:
“400. That’s an error. Invalid Request, invalid idpId in request URL, check if SSO URL is configured properly on SP side. That’s all we know.”
Is there anything that looks off to you that could potentially be a problem with my configuration?
acs returns as a 302 and yields the following data from SAMLResponse (translated from base64 encoded XML using https://www.base64decode.org/):
<?xml version="1.0" encoding="UTF-8" standalone="no"?><saml2p:Response xmlns:saml2p=“urn:oasis:names:tc:SAML:2.0:protocol” Destination=“https://kibana.galileo.io:443/searchguard/saml/acs” ID=“_######” IssueInstant=“2018-09-27T19:49:51.959Z” Version=“2.0”>
<saml2:Issuer xmlns:saml2=“urn:oasis:names:tc:SAML:2.0:assertion”>https://accounts.google.com/o/saml2?idpid=#####</saml2:Issuer>
<saml2p:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Success”/>
</saml2p:Status>
<saml2:Assertion xmlns:saml2=“urn:oasis:names:tc:SAML:2.0:assertion” ID=“_#####” IssueInstant=“2018-09-27T19:49:51.959Z” Version=“2.0”>
saml2:Issuerhttps://accounts.google.com/o/saml2?idpid=#####</saml2:Issuer>
<ds:Signature xmlns:ds=“XML-Signature Syntax and Processing”>
<ds:CanonicalizationMethod Algorithm=“Exclusive XML Canonicalization Version 1.0”/>
<ds:SignatureMethod Algorithm=“xmldsig-more namespace”/>
<ds:Reference URI=“#_#####”>
<ds:Transform Algorithm=“XML-Signature Syntax and Processing”/>
<ds:Transform Algorithm=“Exclusive XML Canonicalization Version 1.0”/>
</ds:Transforms>
<ds:DigestMethod Algorithm=“XML Encryption Syntax and Processing”/>
ds:DigestValue#####</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
ds:SignatureValue#####</ds:SignatureValue>
ds:X509SubjectNameST=California,C=US,OU=Google For Work,CN=Google,L=Mountain View,O=Google Inc.</ds:X509SubjectName>
ds:X509Certificate######</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:NameID Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”>####@galileo.io</saml2:NameID>
<saml2:SubjectConfirmation Method=“urn:oasis:names:tc:SAML:2.0:cm:bearer”>
<saml2:SubjectConfirmationData NotOnOrAfter=“2018-09-27T19:54:51.959Z” Recipient=“https://kibana.galileo.io:443/searchguard/saml/acs”/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore=“2018-09-27T19:44:51.959Z” NotOnOrAfter=“2018-09-27T19:54:51.959Z”>
saml2:Audiencehttps://kibana.galileo.io:443/searchguard/saml/acs</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:Attribute Name=“role”>
<saml2:AttributeValue xmlns:xs=“XML Schema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:anyType”>readall</saml2:AttributeValue>
<saml2:AttributeValue xmlns:xs=“XML Schema” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xsi:type=“xs:anyType”>kibanauser</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AuthnStatement AuthnInstant=“2018-09-27T19:11:25.000Z” SessionIndex=“_#####”>
saml2:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</saml2p:Response>
Thanks,
Dan
When asking questions, please provide the following information:
- Search Guard and Elasticsearch version: 6.4.1
[2018-09-27T18:57:11,174][INFO ][c.f.s.c.IndexBaseConfigurationRepository] Search Guard License Type: FULL, valid
- Installed and used enterprise modules, if any:
[2018-09-27T18:57:00,041][INFO ][c.f.s.SearchGuardPlugin ] 4 Search Guard modules loaded so far: [Module [type=REST_MANAGEMENT_API, implementing class=com.floragunn.searchguard.dlic.rest.api.SearchGuardRestApiActions], Module [type=AUDITLOG, implementing class=com.floragunn.searchguard.auditlog.impl.AuditLogImpl], Module [type=MULTITENANCY, implementing class=com.floragunn.searchguard.configuration.PrivilegesInterceptorImpl], Module [type=DLSFLS, implementing class=com.floragunn.searchguard.configuration.SearchGuardFlsDlsIndexSearcherWrapper]]
- JVM version and operating system version
$ java -version
openjdk version “1.8.0_181”
OpenJDK Runtime Environment (build 1.8.0_181-b13)
OpenJDK 64-Bit Server VM (build 25.181-b13, mixed mode)
$ cat /etc/*elease
CentOS Linux release 7.5.1804 (Core)
NAME=“CentOS Linux”
VERSION=“7 (Core)”
ID=“centos”
ID_LIKE=“rhel fedora”
VERSION_ID=“7”
PRETTY_NAME=“CentOS Linux 7 (Core)”
ANSI_COLOR=“0;31”
CPE_NAME=“cpe:/o:centos:centos:7”
HOME_URL=“https://www.centos.org/”
BUG_REPORT_URL=“https://bugs.centos.org/”
CENTOS_MANTISBT_PROJECT=“CentOS-7”
CENTOS_MANTISBT_PROJECT_VERSION=“7”
REDHAT_SUPPORT_PRODUCT=“centos”
REDHAT_SUPPORT_PRODUCT_VERSION=“7”
CentOS Linux release 7.5.1804 (Core)
CentOS Linux release 7.5.1804 (Core)
- Search Guard configuration files
elasticsearch.yml
searchguard.enterprise_modules_enabled: true
searchguard.compliance.history.internal_config_enabled: true
searchguard.compliance.history.external_config_enabled: true
searchguard.compliance.history.read.metadata_only: true
sg_config.yml
authc:
basic_internal_auth_domain:
enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
saml_auth_domain_google:
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: ‘saml’
challenge: true
config:
idp:
metadata_file: GoogleIDPMetadata-galileo.io.xml
entity_id: https://accounts.google.com/o/saml2?idpid=###########
sp:
entity_id: SP_ENTITY_ID
kibana_url: KIBANA_URL
roles_key: role
exchange_key: ‘SAML_EXCHANGE_KEY’
authentication_backend:
type: noop
-
Elasticsearch log messages on debug level
-
Other installed Elasticsearch or Kibana plugins, if any