SAML- Searchguard SP metadata source

Hi,
I’m trying to set up SAML authentication against our Shibboleth IdP but I can’t see any mention of a source for the Kibana/Searchguard’s Service Provider metadata source.

The only URL I can see mentioned is /searchguard/saml/acs however this still redirects to the IdP.
I’ve added this URL to the server.xsrf.whitelist: [“/searchguard/saml/acs”, “/searchguard/saml/logout”]

How do I obtain the SP’s metadata to set up the trust link?

My kibana.yml and sg_config.yml are listed below (with passwords/keys removed)kibana.yml (5.7 KB) sg_config.yml (11.1 KB)

Search Guard does not provide a SP metadata file as most IdP implementations don’t use these.

If you need such a file, you can create it by yourself. It should be something like this:

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
                     validUntil="2020-08-23T10:16:29Z"
                     cacheDuration="PT604800S"
                     entityID="kibanasaml">
    <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
        <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                                     Location="http://yourkibana:5601/searchguard/saml/acs"
                                     index="1" />
        
    </md:SPSSODescriptor>
</md:EntityDescriptor>

I don’t know much about Shibboleth IdP, but if Shibboleth does not use own certs to signing its assertion documents, you also might have to specify these.

You can find thorough documentation on meta data files here: https://www.oasis-open.org/committees/download.php/51890/SAML%20MD%20simplified%20overview.pdf

See also: Kibana SAML Advanced Troubleshooting | Security for Elasticsearch | Search Guard

SAML Trust fabrics are based entirely on exchanging metadata (otherwise how else would IdPs/SPs know what endpoints to send assertions to, what keys to trust, how to identify trusted entities etc). Most IdPs and SPs will present an endpoint to download this from in my experience.
Some vendors might try and hide all this from the Administrator though!

Thanks for the pointer re: creating a stub metadata file though, it saves me a fair bit of work. I’ve had to do something similar in the past by consulting https://wiki.shibboleth.net/confluence/display/CONCEPT/MetadataForSP

Also good to know about the SAML debug logging.

Kind regards,
Mark

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.