Configuring SAML SSO

1tarak · March 28, 2019, 12:37pm

Hi Team,

Here is my readonlyrest.yml and kibana.yml. Can you please check and help me if I am missing something.

When I click on enter using SAML SSO It goes to IDP link and then end up at https://kibana-hostname/ror_kbn_sso/assert and say page not reachable.

here is the error when i see in chrome developer tools.
{“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”,“attributes”:{“error”:“Unauthorized”}}

readonlyrest.yml


 http.type: ssl_netty4
 readonlyrest:
     access_control_rules:
 
     - name: "::LOGSTASH::"
       auth_key: logstash:xxxxxxx
       verbosity: error
       actions: ["cluster:monitor/main","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
 
     - name: "::KIBANA-SRV::"
       auth_key: kibana:xxxxxx
       verbosity: error
 
     - name: "ReadonlyREST Enterprise instance #1"
       ror_kbn_auth:
         name: "kbn1"
     
     ror_kbn:
     - name: kbn1
       signature_key: "256 characters string"
 
     ssl:
       enable: true
       keystore_file: "xxxxxxx"
       keystore_pass: xxxxxxxx
       key_alias: xxxxxxxxx
       key_pass: xxxxxxxxxxxx
 
     audit_collector: true
     audit_serializer: tech.beshu.ror.requestcontext.QueryAuditLogSerializer
     audit_index_template: "'readonlyrest_audit'-yyyy-MM"
     prompt_for_basic_auth: false
     response_if_req_forbidden: "This action is forbidden."

Kibana.yml

 readonlyrest_kbn.auth:
   signature_key: "256 characters string"
   saml:
     enabled: true
     entryPoint: 'https://idp-hostname/idp/SSO.saml2'
     protocol: "https"
     kibanaExternalHost: ‘kibana-hostname’
     usernameParameter: 'nameID'
     groupsParameter: 'memberOf'
     logoutUrl: 'https:// idp-hostname/idp/SLO.saml2'
     issuer: "kibana"
     decryptionCert: "/path/saml.crt"

in the logs I can see its getting username and groups

16:{“type”:“log”,“@timestamp”:“2019-03-20T14:38:54Z”,“tags”:[“ror”,“info”],“pid”:1278,“message”:“obtained username from SAML profile: myusername”}

sscarduzio · March 28, 2019, 3:42pm

Hello @1tarak,

What version of ROR and Kibana/Elasticsearch are you using?

1tarak · March 29, 2019, 12:19pm

ROR version is 1.17.3
ELK version is 6.6.1

sscarduzio · March 29, 2019, 1:22pm

Hi @1tarak,

First of all, watch out from spaces in the values of your kibana.yml, and also use the straight quotes like ’ or ".

Also, when you paste YAML or code, use the “</>” icon in the forum’s editor, do NOT use the quotation. Because if you do so, it will change formatting of the YAML and it won’t work anymore.

I just tried with the latest version of ROR and ES. Works for me. Not sure what’s the difference with your setup. This is my setting:

Elasticsearch
config/readonlyrest.yml

readonlyrest:
    ssl:
      keystore_file: "keystore.jks"
      keystore_pass: readonlyrest
      key_pass: readonlyrest

    prompt_for_basic_auth: false
    audit_collector: true
    access_control_rules:

    - name: "::KIBANA-SRV::"
      auth_key: kibana:kibana
      verbosity: error

    - name: "ReadonlyREST Enterprise instance #1"
      ror_kbn_auth:
        name: "kbn1"
 
    ror_kbn:
    - name: kbn1
      signature_key:  "my_shared_secret_kibana1_(min 256 chars)my_shared_secret_kibana1_(min 256 chars)my_shared_secret_kibana1_(min 256 chars)my_shared_secret_kibana1_(min 256 chars)" # <- use environmental variables for better security!

Kibana

xpack.security.enabled: false

#readonlyrest_kbn.kibanaIndexTemplate: ".kibana_infosec7"

#elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.url: "https://localhost:9200"
elasticsearch.ssl.verificationMode: none
elasticsearch.username: "kibana"
elasticsearch.password: "kibana"

readonlyrest_kbn:
  logLevel: debug
  auth:
    signature_key: "my_shared_secret_kibana1_(min 256 chars)my_shared_secret_kibana1_(min 256 chars)my_shared_secret_kibana1_(min 256 chars)my_shared_secret_kibana1_(min 256 chars)" # <- use environmental variables for better security!
    saml:
      enabled: true
      issuer: 'ror'
      entryPoint: 'http://localhost:8080/simplesaml/saml2/idp/SSOService.php'
      kibanaExternalHost: 'localhost:5601' # <-- public URL used by the Identity Provider to call back Kibana with the "assertion" message
      usernameParameter: 'email'
      groupsParameter: 'eduPersonAffiliation'
      logoutUrl: 'http://localhost:8080/simplesaml/saml2/idp/SingleLogoutService.php'

This is my test SAML:

docker run  --rm --name=testsamlidp_idp -p 8080:8080 -p 8443:8443 \
-e SIMPLESAMLPHP_SP_ENTITY_ID=http://app.example.com \
-e SIMPLESAMLPHP_SP_ASSERTION_CONSUMER_SERVICE=http://localhost:5601/k/ror_kbn_sso/assert \
-e SIMPLESAMLPHP_SP_SINGLE_LOGOUT_SERVICE=http://localhost:5601/k/ror_kbn_sso/notifylogout \
-e SIMPLESAMLPHP_SP_ENTITY_ID=ror \
 --rm  kristophjunge/test-saml-idp

1tarak · April 3, 2019, 1:15pm

Is port number mandatory in kibanaExternalHost: ‘localhost:5601’ ?

And We are using the Load balancer URL here. Do we need any extra settings if we use Load balancer .
We have enabled sticky sesssion in load balancer.

Here you have a /k extra is this required to be set on SAML provider side ?

http://localhost:5601**/k**/ror_kbn_sso/assert

sscarduzio · April 3, 2019, 4:04pm

the extra /k is because I configured my kibana with

server.basePath: /k

You can remove it, I forgot to strip it out sorry.