I faced very critical issue. Many users that have more than 30-40 groups in LDAP can’t access to Kibana due to oversize Cookie size. When I said oversize I mean from 5000 characters to 14000 characters. You can easily reproduce it with Keycloak. It makes using of Kibana RoR plugin impossible(((
login:1 Set-Cookie header is ignored in response from url: https://dev.kibana.local/login. Cookie length should be less than or equal to 4096 characters.
{"type":"log","@timestamp":"2019-07-23T10:54:42Z","tags":["fatal","root"],"pid":1,"message":"{ ValidationError: child \"readonlyrest_kbn\" fails because [child \"auth\" fails because [\"saml_kc\" is not allowed]]\n at Object.exports.process (/kibana/node_modules/joi/lib/errors.js:196:19)\n at internals.Object._validateWithOptions (/kibana/node_modules/joi/lib/types/any/index.js:675:31)\n at module.exports.internals.Any.root.validate (/kibana/node_modules/joi/lib/index.js:146:23)\n at Config._commit (/kibana/src/server/config/config.js:139:35)\n at Config.set (/kibana/src/server/config/config.js:108:10)\n at Config.extendSchema (/kibana/src/server/config/config.js:81:10)\n at extendConfigService (/kibana/src/plugin_discovery/plugin_config/extend_config_service.js:45:10) name: 'ValidationError' }"} FATAL ValidationError: child "readonlyrest_kbn" fails because [child "auth" fails because ["saml_kc" is not allowed]]
Same error with large cookie size(
Can you check locally with about 70-80 groups in Keycloak for user? Each group must be at least 10 (larger is better) character for representative results.
The problem users have about 110 groups, I checked again.
I can offer something. Use POST for receiving intermediate SAML groups instead of cookies and store in rorCookie only groups that contains in the rules. It is a workaround, but cover many cases. If it possible of course
Yes almost done, a lot of changes though, will need to have a good session of manual testing too.
We managed to remove the list of groups and hidden apps from the cookie entirely. Also we managed to remove the use of cookies from the SAML connector, replacing it with session storage (which has a limit of 5MB in some browsers, in other is unlimited)