Unable to login to Kibana via SAML after 7.10.1 upgrade.
Issue
I’m unable to login to Kibana, after deploying v7.10.1, with Search Guard installed, similar to this post. However, unlike this post, redeploying did not resolve the issue. Fortunately, this is my test environment, but I would like to move to production, ASAP.
Details are:
Elasticsearch version: 7.10.1, with Search Guard 48.0.0
Kibana version: 7.10.1, with Kibana Plugin 48.0.0
Using standard Elastic container images, with Search Guard installed.
I’m receiving the following error:
I’ve attached copies of config files and logs. Note that these config files work without any issues under previous versions, including 7.9.1, which I’m currently using in production.
That was my initial thought too, so I tried to open and authenticate from an incognito window, which I can usually do. That didn’t work. However, when I cleared all browser cookies from my main window and restarted, I’m still getting the same issue.
Here’s a screenshot of the browser cookies from the incognito window for a failed connection to the non-working instance:
I realize you said that the cookies had been updated in the latest version, but here’s a screenshot of the cookies from the version that still works correctly:
What does happen when you click the “Back to Kibana Home” button?
What was your upgrade procedure for the Search Guard Kibana plugin?
What IDP do you use?
It attempts to go to the Kibana home, then ultimately ends up at the same screen.
We’re deploying via Kubernetes, so I wrote a Dockerfile, which pulls copies of the Elasticsearch and Kibana images published by Elastic, and then installs Search Guard into the image. At that point, I deploy.
I just rebuilt and redeployed, and confirmed that I’m using the correct version of SG with Elasticsearch & Kibana. No luck.
I see the LDAP authz error in the Elasticsearch log.
"Caused by: org.elasticsearch.ElasticsearchSecurityException: No user admin found",
"at com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend.fillRoles(LDAPAuthorizationBackend.java:747) ~[dlic-search-guard-suite-security-7.10.1-48.0.0.jar:7.10.1-48.0.0]",
Do you have the admin user on the LDAP server? Does connection to LDAP server work? Look at the LDAP server logs. Do you see anything suspicious in the LDAP logs?
Are you able to fetch SAML metadata_url and entity_id data from the Elasticsearch server?
Sorry for taking so long to respond. I’m not able to download files from Google Drive, as we have it blocked in our organization. Any other way you can get the plugin to me with the add’l logs?
Connection to the LDAP server works. When I do the following command against Elasticsearch using an LDAP user with appropriate permissions, I get the expected output.
It is required to set the isSameSite=None to enable Kibana to send the cookie in a third-party context. And in case of SAML, the cookie is sent in a third-party (cross-site) context: Kibana → SAML (IDP) → Kibana → User.
Do you use the latest version of Chrome or Firefox? What are the domain names of Kibana and SAML IDP server? I don’t need the exact names, just invent something that has similar formatting. For example, kibana.ent.com and saml-idp.com.