More SSO enabled Kibana instances at one server.

Hi,
we have more Kibana instances (for more elasticsearch instaces) at one server, each one have own ip address and hostname, but the same port.
netstat -ltnp | grep 5601
tcp 0 0 10.0.10.10:5601 0.0.0.0:* LISTEN 39982/node
tcp 0 0 10.0.10.11:5601 0.0.0.0:* LISTEN 39370/node
tcp 0 0 10.0.10.12:5601 0.0.0.0:* LISTEN 60427/node

When we enable saml sso on the first Kibana instance a new service on 5602 port appears on our server.

netstat -ltnp | grep 5602
tcp6 0 0 :::* LISTEN 39982/node

And SSO is working well.

When we try to configure the second instance, the Kibana crash with the error:

ROR log level: info. Kibana logger chosen: info
Warning: connect.session() MemoryStore is not
designed for a production environment, as it will leak
memory, and will not scale past a single process.
/srv/app/sys/trace/elastic/kibana-6.7.2-linux-x86_64/plugins/readonlyrest_kbn/server/routes/lib/connectors/saml/samlExpressServer.js:249
const bind = typeof port === ‘string’ ? 'Pipe ’ + port : 'Port ’ + port;
^

ReferenceError: port is not defined
at Server.server.on.error (/srv/app/sys/trace/elastic/kibana-6.7.2-linux-x86_64/plugins/readonlyrest_kbn/server/routes/lib/connectors/saml/samlExpressServer.js:244:23)
at Server.emit (events.js:189:13)
at emitErrorNT (net.js:1304:8)
at process._tickCallback (internal/process/next_tick.js:63:19)
.[60G[.[0;31mFAILED.[0;39m]

When we stop the first Kibana SSO instance, the second starts OK.

Then when we try to start the first, kibana crash with the same error as you can see above.

It seems that problem is in service running at :::5602.

Is there a way how to config a specific IP address for this service?

ReadonlyREST Security version enterprise-1.24.0_es6.7.2
our config:

readonlyrest_kbn.auth:
signature_key: “some_key”
saml_serv1:
enabled: true
type: saml
issuer: ‘https://our_url.com/our-instance/’
buttonName: ‘SSO Login’
entryPoint: ‘https://our-idp.com/adfs/ls/’ # <-- identity Provider’s URL, to request to sign on
kibanaExternalHost: ‘our_url.com/’ # <-- public URL used by the Identity Provider to call back Kibana with the “assertion” message
protocol: https # <-- is the Kibana server listening for “http” “https” connections? Default: http
usernameParameter: ‘nameID’
identifierFormat: ‘urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified’
groupsParameter: ‘http://schemas.xmlsoap.org/claims/Group
logoutUrl: ‘https://our-idp.com/adfs/ls/?wa=wsignout1.0
disableRequestedAuthnContext: true

I try to find how to configure the service here:



But without success…

So you are using “server.host” in your kibana.yml to bind a Kibana instance to a specific address?

Yes
server.port: 5601
server.host: our-instance-name.our-url.com

1 Like

OK that’s what I expected. You are right, we don’t really specify what host we should bind our internal SSO server. Will add a JIRA ticket for this, and check it out.

In the meantime, as a workaround (which actually would be a better way to operate), I suggest you try putting those Kibana instances into containers.