Cookie length should be less than or equal to 4096

Have you disabled xpack security?

Sure. Previous version works fine.

@sscarduzio
Hello! My trial is expired. Can you give me another one for testing?

Hello @Maligos, sorry for the delay.

  • I manually tested this build
  • An unrelated SAML SLO (single logout) issue is resolved

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.18.5-pre8/trial/20190816/enterprise/readonlyrest_kbn_enterprise-1.18.5-pre8-20190816_es6.7.1.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20190816/eu-west-1/s3/aws4_request&X-Amz-Date=20190816T161814Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=14766d13cfc20471520dc259394938a25e4784332e6d58976410bcab4ddfcbfc

@Maligos any news about this? All good?

Hello @sscarduzio!
Still have error after redeploy and login via SAML.

{"statusCode":400,"error":"Bad Request","message":"Invalid cookie value"} 
{ Error: Not Found
    at handler (/kibana/src/server/http/index.js:120:30)
    at module.exports.internals.Manager.execute (/kibana/node_modules/hapi/lib/toolkit.js:35:106)
    at Object.internals.handler (/kibana/node_modules/hapi/lib/handler.js:50:48)
    at exports.execute (/kibana/node_modules/hapi/lib/handler.js:35:36)
    at Request._lifecycle (/kibana/node_modules/hapi/lib/request.js:263:62)
    at process._tickCallback (internal/process/next_tick.js:68:7)
  data: null,
  isBoom: true,
  isServer: false,
  output:
   { statusCode: 404,
     payload:
      { statusCode: 404, error: 'Not Found', message: 'Not Found' },
     headers: { 'kbn-name': 'kibana' } },
  reformat: [Function],
  message: 'Not Found',
  typeof: [Function: notFound] }

Try deleting your cookie from the browser? Or using another browser? Or incognito?

Deleting cookie is the only solution. But I have many customers and I can’t give them advice to delete cookie after each redeploy. It is very annoying.

What do you mean after each redeploy? Only after deploying this fixed version, right? Next time you upgrade ROR or Kibana versions this need to delete cookies won’t really apply.

@sscarduzio
I meant even when I restart KIbana service same version.

Ohh of course, because we could not keep the groups list in the cookie, we moved it to a in-memory server side session-db. When you restart the server, the session-db resets, and even if the cookie is valid, it will reject the cookie because it can’t retrieve the session from the db.

But the behaviour should be: after restart, the users will be redirected to login for new authentication. No manual cookie deletion required.

Yes, they were redirected to the login page, clicked SAML auth button and then got cookie error after that.

So did I understand correctly that the following happens every time you restart, even with the newest version of ROR Enterprise?

  • redirect to login
  • click login with SAML
  • cookie error that requires manual delete of cookies
  • try to login again, successfully

@sscarduzio
Correct. I reproduced it again to be 100% sure.

Can you try if it’s still true setting this in kibana.yml?

readonlyrest_kbn.cookiePass: "<some long string>"
{"statusCode":500,"error":"Internal Server Error","message":"An internal server error occurred"}
Error handling saml  TypeError: Cannot read property 'usernameParameter' of undefined
    at Object.setTransitionalToken (/kibana/plugins/readonlyrest_kbn/server/routes/lib/connectors/saml/samlConfig.js:1:544)
    at exports.saml (/kibana/plugins/readonlyrest_kbn/server/routes/lib/connectors/saml/controllers/saml/v1/index.js:1:339)
    at module.exports.internals.Manager.execute (/kibana/plugins/readonlyrest_kbn/node_modules/hapi/lib/toolkit.js:35:106)
    at Object.internals.handler (/kibana/plugins/readonlyrest_kbn/node_modules/hapi/lib/handler.js:50:48)
    at exports.execute (/kibana/plugins/readonlyrest_kbn/node_modules/hapi/lib/handler.js:35:36)
    at Request._lifecycle (/kibana/plugins/readonlyrest_kbn/node_modules/hapi/lib/request.js:263:62)
Debug: internal, implementation, error 
    Error:  method did not return a value, a promise, or throw an error
    at module.exports.internals.Manager.execute (/kibana/plugins/readonlyrest_kbn/node_modules/hapi/lib/toolkit.js:52:29)

Part of the config:

readonlyrest_kbn:
  logLevel: info
  cookiePass: 'hsEkuA2M2p2rDZ2g7N4Rx3yEtTP7t3Bf'
  auth:

I just added “cookiePass” param to current config.

Very strange, can you post the whole (sanitized) YAML? Even in PM if you don’t want to share with others.

FYI this is the configuration I’m using in my development machine

xpack.security.enabled: false
xpack.spaces.enabled: false

elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.username: "kibana"
elasticsearch.password: "kibana"
elasticsearch.ssl.verificationMode: none
server.basePath: '/k'

server.ssl.enabled: true
server.ssl.certificate: '/me/kibana_plugin/kibana-extra/readonlyrest_kbn/ssl/localhost.pem'
server.ssl.key: '/me/kibana_plugin/kibana-extra/readonlyrest_kbn/ssl/localhost-key.pem'


readonlyrest_kbn:
  whitelistedPaths: [".*/api/.*$"]
  proxy_auth_passthrough: true

  #kibana_custom_css_inject_file: "/tmp/custom_kibana.css"
  logLevel: debug
  clearSessionOnEvents: ["login"]
  session_timeout_minutes: 99999
  cookiePass: "12345678901234567890123456789012"
  #kibanaIndexTemplate: ".kibana_infosec"

  auth:
    signature_key: "9yzBfnLaTYLfGPzyKW9es76RKYhUVgmuv6ZtehaScj5msGpBpa5FWpwk295uJYaaffTFnQC5tsknh2AguVDaTrqCLfM5zCTqdE4UGNL73h28Bg4dPrvTAFQyygQqv4xfgnevBED6VZYdfjXAQLc8J8ywaHQQSmprZqYCWGE6sM3vzNUEWWB3kmGrEKa4sGbXhmXZCvL6NDnEJhXPDJAzu9BMQxn8CzVLqrx6BxDgPYF8gZCxtyxMckXwCaYXrxAGbjkYH69F4wYhuAdHSWgRAQCuWwYmWCA6g39j4VPge5pv962XYvxwJpvn23Y5KvNZ5S5c6crdG4f4gTCXnU36x92fKMQzsQV9K4phcuNvMWkpqVB6xMA5aPzUeHcGytD93dG8D52P5BxsgaJJE6QqDrk3Y2vyLw9ZEbJhPRJxbuBKVCBtVx26Ldd46dq5eyyzmNEyQGLrjQ4qd978VtG8TNT5rkn4ETJQEju5HfCBbjm3urGLFVqxhGVawecT4YM9Rry4EqXWkRJGTFQWQRnweUFbKNbVTC9NxcXEp6K5rSPEy9trb5UYLYhhMJ9fWSBMuenGRjNSJxeurMRCaxPpNppBLFnp8qW5ezfHgCBpEjkSNNzP4uXMZFAXmdUfJ8XQdPTWuYfdHYc5TZWnzrdq9wcfFQRDpDB2zX5Myu96krDt9vA7wNKfYwkSczA6qUQV66jA8nV4Cs38cDAKVBXnxz22ddAVrPv8ajpu7hgBtULMURjvLt94Nc5FDKw79CTTQxffWEj9BJCDCpQnTufmT8xenywwVJvtj49yv2MP2mGECrVDRmcGUAYBKR8G6ZnFAYDVC9UhY46FGWDcyVX3HKwgtHeb45Ww7dsW8JdMnZYctaEU585GZmqTJp2LcAWRcQPH25JewnPX8pjzVpJNcy7avfA2bcU86bfASvQBDUCrhjgRmK2ECR6vzPwTsYKRgFrDqb62FeMdrKgJ9vKs435T5ACN7MNtdRXHQ4fj5pNpUMDW26Wd7tt9bkBTqEGf"
   
    saml_kc:
      buttonName: 'KeyCloak SAML SSO'
      enabled: true
      type: saml
      protocol: 'https'
      issuer: 'ror'
      entryPoint: 'http://127.0.0.1:8080/auth/realms/master/protocol/saml'
      kibanaExternalHost: 'localhost:5601'
      usernameParameter: 'nameID'
      groupsParameter: 'member'
      logoutUrl: 'http://127.0.0.1:8080/auth/realms/master/protocol/saml'

Hello @sscarduzio!
Sorry for delay, I was unavailable.
Here is my full Kibana config below:

readonlyrest_kbn:
  logLevel: info
  auth:
    signature_key: 'vELn41Rra4sG3zTWp+cE706FmEtRZdsgMWIJNp2OjkrQ03epc+MHGhWVP+7u14q630qzoK7omFotWkrHmiND6u5y7D4SuRWVP+7u14q630qzoK7omFotWkrHmiND6u5y7D4SuRWVP+7u14q630qzoK7omFotWkrHmiND6u5y7D4SuRd99s02o29d0sdf09sdf09u2093u0f9wduf09sd8uf09783042jkljdflsjlkjlskdjflskdjdkjflsdkj'
    saml_kc:
      buttonName: "SSO LOGIN"
      enabled: true
      type: "saml"
      issuer: "c07eb4b5-67ec-40c4-99a7-e5aec833eb87"
      entryPoint: "https://oidc.dev.local/auth/realms/master/protocol/saml"
      kibanaExternalHost: "kibana.dev.local"
      protocol: https
      usernameParameter: "nameID"
      groupsParameter: "samlGroups"
      logoutUrl: "https://oidc.dev.local/auth/realms/master/broker/saml/endpoint"
elasticsearch.username: "kibana"
elasticsearch.password: "kibana"
elasticsearch.ssl.verificationMode: none
logging.quiet: false
server.port: 5601
# xpack.security.enabled: false
# xpack.graph.enabled: false
# xpack.ml.enabled: false
# xpack.monitoring.enabled: false
# xpack.reporting.enabled: false
# xpack.watcher.enabled: false

Your Kibana does not listen in https, does it? If not, why do you have protocol: https?
Also, check the issuer. Where did you get that from?

Also please let’s try with the latest ROR build and see if the stacktrace is still there and similar:
https://readonlyrest-data.s3-eu-west-1.amazonaws.com/build/1.18.6-pre2/trial/20190911/enterprise/readonlyrest_kbn_enterprise-1.18.6-pre2-20190911_es6.7.1.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20190911/eu-west-1/s3/aws4_request&X-Amz-Date=20190911T162956Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=bf9d770c27159076bd86b7a0028b751e64dc82864a13111cf4b1b4312f819c6d