Unable to achieve SAML Single Sign-on

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

6.4.3

  • Installed and used enterprise modules, if any

No

  • JVM version and operating system version

  • Search Guard configuration files

sg_config.yml

server.ssl.key: /home/ubuntu/ELK_6_4_Stack/kibana-6.4.3-linux-x86_64/config/kibana.key.pem dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#kibana:
# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
# To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
#multitenancy_enabled: true
#server_username: kibanaserver
#index: ‘.kibana’
#do_not_fail_on_forbidden: false
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
#trustedProxies: '.
’ # trust all external proxies, regex pattern
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
enabled: true
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
saml**:
enabled: true
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: …/…/ELK_6_4_Stack/elasticsearch-6.4.3/config/okta.xml
entity_id: http://www.okta.com/$$$$$$$$$
sp:
entity_id: https://kibana.:5601$$$$$$.info/searchguard/saml/acs
kibana_url: https://kibana.:5601$$$$$$.info/
roles_key: Role
exchange_key: ‘eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9’
authentication_backend:
type:** ** noop**

  proxy_auth_domain:
    http_enabled: false
    transport_enabled: false
    order: 3
    http_authenticator:
      type: proxy
      challenge: false
      config:
        user_header: "x-proxy-user"
        roles_header: "x-proxy-roles"
    authentication_backend:
      type: noop
 jwt_auth_domain:
    http_enabled: false
    transport_enabled: false
    order: 4
    http_authenticator:
      type: jwt
      challenge: false
      config:
        signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
        jwt_header: "Authorization"
        jwt_url_parameter: null
        roles_key: null
        subject_key: null
    authentication_backend:
      type: noop
  clientcert_auth_domain:
    http_enabled: false
    transport_enabled: false
    order: 2
    http_authenticator:
      type: clientcert
      config:
        username_attribute: cn #optional, if omitted DN becomes username
      challenge: false
    authentication_backend:
      type: noop
  ldap:
    http_enabled: false
    transport_enabled: false
    order: 5
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
      type: ldap # NOT FREE FOR COMMERCIAL USE
      config:
        # enable ldaps
        enable_ssl: false
        # enable start tls, enable_ssl should be false
        enable_start_tls: false
        # send client certificate
        enable_ssl_client_auth: false
        # verify ldap hostname
        verify_hostnames: true
        hosts:
          - localhost:8389
        bind_dn: null
        password: null
        userbase: 'ou=people,dc=example,dc=com'
        # Filter to search for users (currently in the whole subtree beneath userbase)
        # {0} is substituted with the username
        usersearch: '(sAMAccountName={0})'
        # Use this attribute from the user as username (if not set then DN is used)
        username_attribute: null

``

elasticsearch.yml:

searchguard.enterprise_modules_enabled: truesearchguard.ssl.transport.pemcert_filepath: CN=emailnow.info.crtfull.pem
searchguard.ssl.transport.pemkey_filepath: CN=emailnow.info.key.pem
searchguard.ssl.transport.pemkey_password: c8fd4fe5e9a3cfb7567b
searchguard.ssl.transport.pemtrustedcas_filepath: chain-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true
searchguard.compliance.history.internal_config_enabled: true
searchguard.compliance.history.external_config_enabled: true
searchguard.compliance.history.read.metadata_only: true

searchguard.ssl.http.pemcert_filepath: CN=emailnow.info.crtfull.pem
searchguard.ssl.http.pemkey_filepath: CN=emailnow.info.key.pem
searchguard.ssl.http.pemkey_password: c8fd4fe5e9a3cfb7567b
searchguard.ssl.http.pemtrustedcas_filepath: chain-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.authcz.admin_dn:

  • CN=sgadmin

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“sg_all_access”]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
network.host: 0.0.0.0
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
xpack.monitoring.enabled: true
xpack.graph.enabled: false
xpack.ml.enabled: false
xpack.security.enabled: false
xpack.watcher.enabled: false

``

Kibana.yml

searchguard.auth.type: “saml”
server.xsrf.whitelist: ["/searchguard/saml/acs", “/searchguard/saml/logout”]

server.ssl.enabled: true
server.ssl.certificate: /home/ubuntu/ELK_6_4_Stack/kibana-6.4.3-linux-x86_64/config/kibana.crtfull.pem
server.ssl.key: /home/ubuntu/ELK_6_4_Stack/kibana-6.4.3-linux-x86_64/config/kibana.key.pem

``

  • Elasticsearch log messages on debug level

  • Other installed Elasticsearch or Kibana plugins, if any

Im using SearchGaurd Community version and from the https://search-guard.com/kibana-elasticsearch-saml/ link, I have followed all the steps by enabling the enterprise features. Im able to connect to https:0.0.0.0:9200 elastic search cluster but when I’m trying to hit the kibana url Im getting SAML authentication error from Okta Portal and SAML config error from direct link visit.

Please help me with the Issue.

seems like a duplicate of https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/search-guard/Ox4tBvpUR74/gAfEpgAnBgAJ

···

On Monday, 10 December 2018 15:13:49 UTC+1, Venkata Naresh Divi wrote:

When asking questions, please provide the following information:

  • Search Guard and Elasticsearch version

6.4.3

  • Installed and used enterprise modules, if any

No

  • JVM version and operating system version
  • Search Guard configuration files

sg_config.yml

server.ssl.key: /home/ubuntu/ELK_6_4_Stack/kibana-6.4.3-linux-x86_64/config/kibana.key.pem dynamic:
# Set filtered_alias_mode to ‘disallow’ to forbid more than 2 filtered aliases per index
# Set filtered_alias_mode to ‘warn’ to allow more than 2 filtered aliases per index but warns about it (default)
# Set filtered_alias_mode to ‘nowarn’ to allow more than 2 filtered aliases per index silently
#filtered_alias_mode: warn
#kibana:
# Kibana multitenancy - NOT FREE FOR COMMERCIAL USE
# see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md
# To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki
#multitenancy_enabled: true
#server_username: kibanaserver
#index: ‘.kibana’
#do_not_fail_on_forbidden: false
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
#internalProxies: ‘.’ # trust all internal proxies, regex pattern
remoteIpHeader: ‘x-forwarded-for’
proxiesHeader: ‘x-forwarded-by’
#trustedProxies: '.
’ # trust all external proxies, regex pattern
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
kerberos_auth_domain:
http_enabled: false
transport_enabled: false
order: 6
http_authenticator:
type: kerberos # NOT FREE FOR COMMERCIAL USE
challenge: true
config:
# If true a lot of kerberos/security related debugging output will be logged to standard out
krb_debug: false
# If true then the realm will be stripped from the user name
strip_realm_from_principal: true
authentication_backend:
type: noop
basic_internal_auth_domain:
enabled: true
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
saml**:
enabled: true
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: …/…/ELK_6_4_Stack/elasticsearch-6.4.3/config/okta.xml
entity_id: http://www.okta.com/$$$$$$$$$
sp:
entity_id: https://kibana.:5601$$$$$$.info/searchguard/saml/acs
kibana_url: https://kibana.:5601$$$$$$.info/
roles_key: Role
exchange_key: ‘eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9’
authentication_backend:
type:** ** noop**

  proxy_auth_domain:
    http_enabled: false
    transport_enabled: false
    order: 3
    http_authenticator:
      type: proxy
      challenge: false
      config:
        user_header: "x-proxy-user"
        roles_header: "x-proxy-roles"
    authentication_backend:
      type: noop
 jwt_auth_domain:
    http_enabled: false
    transport_enabled: false
    order: 4
    http_authenticator:
      type: jwt
      challenge: false
      config:
        signing_key: "base64 encoded HMAC key or public RSA/ECDSA pem key"
        jwt_header: "Authorization"
        jwt_url_parameter: null
        roles_key: null
        subject_key: null
    authentication_backend:
      type: noop
  clientcert_auth_domain:
    http_enabled: false
    transport_enabled: false
    order: 2
    http_authenticator:
      type: clientcert
      config:
        username_attribute: cn #optional, if omitted DN becomes username
      challenge: false
    authentication_backend:
      type: noop
  ldap:
    http_enabled: false
    transport_enabled: false
    order: 5
    http_authenticator:
      type: basic
      challenge: false
    authentication_backend:
      # LDAP authentication backend (authenticate users against a LDAP or Active Directory)
      type: ldap # NOT FREE FOR COMMERCIAL USE
      config:
        # enable ldaps
        enable_ssl: false
        # enable start tls, enable_ssl should be false
        enable_start_tls: false
        # send client certificate
        enable_ssl_client_auth: false
        # verify ldap hostname
        verify_hostnames: true
        hosts:
          - localhost:8389
        bind_dn: null
        password: null
        userbase: 'ou=people,dc=example,dc=com'
        # Filter to search for users (currently in the whole subtree beneath userbase)
        # {0} is substituted with the username
        usersearch: '(sAMAccountName={0})'
        # Use this attribute from the user as username (if not set then DN is used)
        username_attribute: null

``

elasticsearch.yml:

searchguard.enterprise_modules_enabled: truesearchguard.ssl.transport.pemcert_filepath: CN=emailnow.info.crtfull.pem
searchguard.ssl.transport.pemkey_filepath: CN=emailnow.info.key.pem
searchguard.ssl.transport.pemkey_password: c8fd4fe5e9a3cfb7567b
searchguard.ssl.transport.pemtrustedcas_filepath: chain-ca.pem
searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true
searchguard.compliance.history.internal_config_enabled: true
searchguard.compliance.history.external_config_enabled: true
searchguard.compliance.history.read.metadata_only: true

searchguard.ssl.http.pemcert_filepath: CN=emailnow.info.crtfull.pem
searchguard.ssl.http.pemkey_filepath: CN=emailnow.info.key.pem
searchguard.ssl.http.pemkey_password: c8fd4fe5e9a3cfb7567b
searchguard.ssl.http.pemtrustedcas_filepath: chain-ca.pem
searchguard.allow_unsafe_democertificates: true
searchguard.authcz.admin_dn:

  • CN=sgadmin

searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: [“sg_all_access”]
cluster.routing.allocation.disk.threshold_enabled: false
cluster.name: searchguard_demo
network.host: 0.0.0.0
discovery.zen.minimum_master_nodes: 1
node.max_local_storage_nodes: 3
xpack.monitoring.enabled: true
xpack.graph.enabled: false
xpack.ml.enabled: false
xpack.security.enabled: false
xpack.watcher.enabled: false

``

Kibana.yml

searchguard.auth.type: “saml”
server.xsrf.whitelist: ["/searchguard/saml/acs", “/searchguard/saml/logout”]

server.ssl.enabled: true
server.ssl.certificate: /home/ubuntu/ELK_6_4_Stack/kibana-6.4.3-linux-x86_64/config/kibana.crtfull.pem
server.ssl.key: /home/ubuntu/ELK_6_4_Stack/kibana-6.4.3-linux-x86_64/config/kibana.key.pem

``

  • Elasticsearch log messages on debug level
  • Other installed Elasticsearch or Kibana plugins, if any

Im using SearchGaurd Community version and from the https://search-guard.com/kibana-elasticsearch-saml/ link, I have followed all the steps by enabling the enterprise features. Im able to connect to https:0.0.0.0:9200 elastic search cluster but when I’m trying to hit the kibana url Im getting SAML authentication error from Okta Portal and SAML config error from direct link visit.

Please help me with the Issue.