If you put ES in debug mode, you can access the authorization header, and inspect the received JWT token coming from Kibana.
As I saw Kibana got all SAML groups. Here is log:
["info","readonlyrest_kbn:readonlyrest_kbn:sideserver:redirectWithResolvedIdentity"],"pid":1,"message":"obtained identity from external connector: {\"issuer\":\"https://keycloak.local/auth/realms/master\",\"sessionIndex\":\"c87ceaf9-9ca2-446b-bd35-b33c793351a2::b81e93ab-fd17-466b-809e-e98d43225d57\",\"nameID\":\"justuser\",\"nameIDFormat\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified\",\"samlGroups\":[\"thisisgroup\"],\"user\":\"justuser\",\"configObject\":{\"buttonName\":\"master SSO\",\"enabled\":true,\"type\":\"saml\",\"issuer\":\"c07eb4b5-67ec-40c4-99a7-e5aec833eb87\",\"entryPoint\":\"https://keycloak.local/auth/realms/master/protocol/saml\",\"kibanaExternalHost\":\"kibana.dc01.kube.master.com\",\"protocol\":\"https\",\"usernameParameter\":\"nameID\",\"groupsParameter\":\"samlGroups\",\"logoutUrl\":\"https://keycloak.local/auth/realms/master/broker/saml/endpoint\",\"routePrefix\":\"/ror_kbn_sso_saml_kc\",\"name\":\"saml_kc\",\"callbackUrl\":\"https://kibana.dc01.kube.master.com/ror_kbn_sso_saml_kc/assert\",\"logoutCallbackUrl\":\"https://kibana.dc01.kube.master.com/ror_kbn_sso_saml_kc/notifylogout\",\"privateCert\":null,\"cert\":null,\"decryptionPvk\":null,\"path\":\"/saml/consume\",\"host\":\"localhost\",\"identifierFormat\":\"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\"authnContext\":\"urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport\",\"acceptedClockSkewMs\":0,\"validateInResponseTo\":false,\"requestIdExpirationPeriodMs\":28800000,\"cacheProvider\":{\"cacheKeys\":{},\"options\":{\"keyExpirationPeriodMs\":28800000}},\"signatureAlgorithm\":\"sha1\"}}"}Found the issue, the JWT that ROR Enterprise forwarded to ES didn’t include the groups array. Making a new build for you as we speak.
Thanks! This build works. Need some time till Monday for tests.
1 Like
Great! Keep me posted 
Hello @sscarduzio!
When I restart Kibana container I always catch “Invalid cookie” message. Is it possible to avoid this behavior? My customers have to clear cookies after each restart, it’s annoying.
Oh yep I know what you mean. Will add it to Jira, will take care of this during these days. 
Thanks! Looking forward to it!
1 Like
Hello @sscarduzio!
Found a new issue with the new build. I can’t access ReadonlyREST config from Kibana now, but I don’t see any denied messages in the ES.
I’ve checked on one of the previous build, before you changed cookie storage, and it has access to RoR config.
I guess, now it resolves groups from SAML in the wrong order.
Error in the JS console when try to access RoR config from Kibana
manifest.json:1 Manifest: Line: 1, column: 1, Unexpected token.
vendors.bundle.dll.js:316 GET https://kibana.dev.local/api/readonlyrest_kbn/settings 500
(anonymous) @ vendors.bundle.dll.js:316
sendReq @ vendors.bundle.dll.js:316
serverRequest @ vendors.bundle.dll.js:316
processQueue @ vendors.bundle.dll.js:316
(anonymous) @ vendors.bundle.dll.js:316
$digest @ vendors.bundle.dll.js:316
$apply @ vendors.bundle.dll.js:316
bootstrapApply @ vendors.bundle.dll.js:316
invoke @ vendors.bundle.dll.js:316
doBootstrap @ vendors.bundle.dll.js:316
bootstrap @ vendors.bundle.dll.js:316
chrome.bootstrap @ commons.bundle.js:10
LegacyPlatformService.start @ commons.bundle.js:10
CoreSystem.start @ commons.bundle.js:10
(anonymous) @ readonlyrest_kbn.bundle.js:1
Promise.then (async)
964 @ readonlyrest_kbn.bundle.js:1
__webpack_require__ @ readonlyrest_kbn.bundle.js:1
checkDeferredModules @ readonlyrest_kbn.bundle.js:1
(anonymous) @ readonlyrest_kbn.bundle.js:1
(anonymous) @ readonlyrest_kbn.bundle.js:1
Hello @sscarduzio!
Issue with RoR config is solved in the new release, but Invalid Cookie still happens(
oh no, very strange! Will review.
Again. After deploy a new version:
{"statusCode":400,"error":"Bad Request","message":"Invalid cookie value"}
I found the issue, man this was really difficult. The bug was in the SAML library. Soon will give you a build.