Cookie length should be less than or equal to 4096

If you put ES in debug mode, you can access the authorization header, and inspect the received JWT token coming from Kibana.

As I saw Kibana got all SAML groups. Here is log:

["info","readonlyrest_kbn:readonlyrest_kbn:sideserver:redirectWithResolvedIdentity"],"pid":1,"message":"obtained identity from external connector: {\"issuer\":\"https://keycloak.local/auth/realms/master\",\"sessionIndex\":\"c87ceaf9-9ca2-446b-bd35-b33c793351a2::b81e93ab-fd17-466b-809e-e98d43225d57\",\"nameID\":\"justuser\",\"nameIDFormat\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\",\"samlGroups\":[\"thisisgroup\"],\"user\":\"justuser\",\"configObject\":{\"buttonName\":\"master SSO\",\"enabled\":true,\"type\":\"saml\",\"issuer\":\"c07eb4b5-67ec-40c4-99a7-e5aec833eb87\",\"entryPoint\":\"https://keycloak.local/auth/realms/master/protocol/saml\",\"kibanaExternalHost\":\"\",\"protocol\":\"https\",\"usernameParameter\":\"nameID\",\"groupsParameter\":\"samlGroups\",\"logoutUrl\":\"https://keycloak.local/auth/realms/master/broker/saml/endpoint\",\"routePrefix\":\"/ror_kbn_sso_saml_kc\",\"name\":\"saml_kc\",\"callbackUrl\":\"\",\"logoutCallbackUrl\":\"\",\"privateCert\":null,\"cert\":null,\"decryptionPvk\":null,\"path\":\"/saml/consume\",\"host\":\"localhost\",\"identifierFormat\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"authnContext\":\"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\",\"acceptedClockSkewMs\":0,\"validateInResponseTo\":false,\"requestIdExpirationPeriodMs\":28800000,\"cacheProvider\":{\"cacheKeys\":{},\"options\":{\"keyExpirationPeriodMs\":28800000}},\"signatureAlgorithm\":\"sha1\"}}"}

Found the issue, the JWT that ROR Enterprise forwarded to ES didn’t include the groups array. Making a new build for you as we speak.

Thanks! This build works. Need some time till Monday for tests.

1 Like

Great! Keep me posted :slight_smile:

Hello @sscarduzio!
When I restart Kibana container I always catch “Invalid cookie” message. Is it possible to avoid this behavior? My customers have to clear cookies after each restart, it’s annoying.

Oh yep I know what you mean. Will add it to Jira, will take care of this during these days. :+1:

Thanks! Looking forward to it!

1 Like

Hello @sscarduzio!
Found a new issue with the new build. I can’t access ReadonlyREST config from Kibana now, but I don’t see any denied messages in the ES.
I’ve checked on one of the previous build, before you changed cookie storage, and it has access to RoR config.
I guess, now it resolves groups from SAML in the wrong order.

Error in the JS console when try to access RoR config from Kibana

manifest.json:1 Manifest: Line: 1, column: 1, Unexpected token.
vendors.bundle.dll.js:316 GET 500
(anonymous) @ vendors.bundle.dll.js:316
sendReq @ vendors.bundle.dll.js:316
serverRequest @ vendors.bundle.dll.js:316
processQueue @ vendors.bundle.dll.js:316
(anonymous) @ vendors.bundle.dll.js:316
$digest @ vendors.bundle.dll.js:316
$apply @ vendors.bundle.dll.js:316
bootstrapApply @ vendors.bundle.dll.js:316
invoke @ vendors.bundle.dll.js:316
doBootstrap @ vendors.bundle.dll.js:316
bootstrap @ vendors.bundle.dll.js:316
chrome.bootstrap @ commons.bundle.js:10
LegacyPlatformService.start @ commons.bundle.js:10
CoreSystem.start @ commons.bundle.js:10
(anonymous) @ readonlyrest_kbn.bundle.js:1
Promise.then (async)
964 @ readonlyrest_kbn.bundle.js:1
__webpack_require__ @ readonlyrest_kbn.bundle.js:1
checkDeferredModules @ readonlyrest_kbn.bundle.js:1
(anonymous) @ readonlyrest_kbn.bundle.js:1
(anonymous) @ readonlyrest_kbn.bundle.js:1

Hey @sscarduzio!
Any updates?

Hi @Maligos,

Thanks for the wait. Here is the latest available build with a ton of bug fixes:

Hello @sscarduzio!

Issue with RoR config is solved in the new release, but Invalid Cookie still happens(

oh no, very strange! Will review.

Again. After deploy a new version:

{"statusCode":400,"error":"Bad Request","message":"Invalid cookie value"}

Hello @sscarduzio!
Do you have a new build for test?

I found the issue, man this was really difficult. The bug was in the SAML library. Soon will give you a build.