Hi,
we have more Kibana instances (for more elasticsearch instaces) at one server, each one have own ip address and hostname, but the same port.
netstat -ltnp | grep 5601
tcp 0 0 10.0.10.10:5601 0.0.0.0:* LISTEN 39982/node
tcp 0 0 10.0.10.11:5601 0.0.0.0:* LISTEN 39370/node
tcp 0 0 10.0.10.12:5601 0.0.0.0:* LISTEN 60427/node
When we enable saml sso on the first Kibana instance a new service on 5602 port appears on our server.
When we try to configure the second instance, the Kibana crash with the error:
ROR log level: info. Kibana logger chosen: info
Warning: connect.session() MemoryStore is not
designed for a production environment, as it will leak
memory, and will not scale past a single process.
/srv/app/sys/trace/elastic/kibana-6.7.2-linux-x86_64/plugins/readonlyrest_kbn/server/routes/lib/connectors/saml/samlExpressServer.js:249
const bind = typeof port === âstringâ ? 'Pipe â + port : 'Port â + port;
^
ReferenceError: port is not defined
at Server.server.on.error (/srv/app/sys/trace/elastic/kibana-6.7.2-linux-x86_64/plugins/readonlyrest_kbn/server/routes/lib/connectors/saml/samlExpressServer.js:244:23)
at Server.emit (events.js:189:13)
at emitErrorNT (net.js:1304:8)
at process._tickCallback (internal/process/next_tick.js:63:19)
.[60G[.[0;31mFAILED.[0;39m]
When we stop the first Kibana SSO instance, the second starts OK.
Then when we try to start the first, kibana crash with the same error as you can see above.
It seems that problem is in service running at :::5602.
Is there a way how to config a specific IP address for this service?
ReadonlyREST Security version enterprise-1.24.0_es6.7.2
our config:
readonlyrest_kbn.auth:
signature_key: âsome_keyâ
saml_serv1:
enabled: true
type: saml
issuer: âhttps://our_url.com/our-instance/â
buttonName: âSSO Loginâ
entryPoint: âhttps://our-idp.com/adfs/ls/â # â identity Providerâs URL, to request to sign on
kibanaExternalHost: âour_url.com/â # â public URL used by the Identity Provider to call back Kibana with the âassertionâ message
protocol: https # â is the Kibana server listening for âhttpâ âhttpsâ connections? Default: http
usernameParameter: ânameIDâ
identifierFormat: âurn:oasis:names:tc:SAML:1.1:nameid-format:unspecifiedâ
groupsParameter: âhttp://schemas.xmlsoap.org/claims/Groupâ
logoutUrl: âhttps://our-idp.com/adfs/ls/?wa=wsignout1.0â
disableRequestedAuthnContext: true
OK thatâs what I expected. You are right, we donât really specify what host we should bind our internal SSO server. Will add a JIRA ticket for this, and check it out.
In the meantime, as a workaround (which actually would be a better way to operate), I suggest you try putting those Kibana instances into containers.