Hi,
We are trying to set up our test cluster using Kibana & Elasticsearch plugin with AD Federation Services via SAML.
We followed instructions from readonlyrest-docs and achieved partial success.
For now, we have working cluster with SAML authentication but only when we start from ADFS signon page.
And we have no idea how to configure it further to get valid redirection from Kibana logon page to ADFS signon page using SAML SSO button.
What are we doing wrong?
Kibana.yml
readonlyrest_kbn.auth:
saml:
enabled: true
entryPoint: âh_t_t_p_s://adfs.pl.local-ad/adfs/ls/idpinitiatedsignon.aspxâ
privateCert: â/etc/pki/host/host.keyâ
cert: â/etc/kibana/certs/adfs.pl.local-ad.crtâ
authnContext: âh_t_t_p_://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windowsâ
kibanaExternalHost: âhost.pl.local-adâ # â public URL used by the Identity Provider to call back Kibana with the âassertionâ message
usernameParameter: âh_t_t_p_://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressâ # ânameIDâ
groupsParameter: âh_t_t_p_://schemas.xmlsoap.org/claims/Groupâ
signature_key: â123456.123456.123456.123456.123456.123456.123456.123456.123456.123456.123456.123456.123456.123456.123456.123456â
SAML Token:
<?xml version="1.0"?><samlp:AuthnRequest xmlns:samlp=âurn:oasis:names:tc:SAML:2.0:protocolâ ID=â0b2e9f152008c25b8359" Version=â2.0â IssueInstant=â2019-01-25T12:39:27.131Zâ ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:h_t_t_p-POSTâ AssertionConsumerServiceURL=âh_t_t_p_://host.pl.local-ad/ror_kbn_sso/assertâ Destination=âh_t_t_p_s://adfs.pl.local-ad/adfs/ls/idpinitiatedsignon.aspxâ>
<saml:Issuer xmlns:saml=âurn:oasis:names:tc:SAML:2.0:assertionâ>onelogin_saml</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp=âurn:oasis:names:tc:SAML:2.0:protocolâ Format=âurn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressâ AllowCreate=âtrueâ/>
<samlp:RequestedAuthnContext xmlns:samlp=âurn:oasis:names:tc:SAML:2.0:protocolâ Comparison=âexactâ>
<saml:AuthnContextClassRef xmlns:saml=âurn:oasis:names:tc:SAML:2.0:assertionâ>h_t_t_p_://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Info from ADFS logs:
Encountered error during federation passive request.
Additional Data
Protocol Name:
Relying Party:
Exception details:
System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
at System.Convert.FromBase64_Decode(Char* startInputPtr, Int32 inputLength, Byte* startDestPtr, Int32 destLength)
at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength)
at System.Convert.FromBase64String(String s)
at Microsoft.IdentityServer.Protocols.Saml.h_t_t_p_SamlBindingSerializer.DecodeMessageInternal(String message)
at Microsoft.IdentityServer.Protocols.Saml.h_t_t_p_SamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
at Microsoft.IdentityServer.Protocols.Saml.h_t_t_p_SamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
at Microsoft.IdentityServer.Protocols.Saml.h_t_t_p_RedirectSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form)
at Microsoft.IdentityServer.Web.Protocols.Saml.h_t_t_p_SamlMessageFactory.CreateMessage(Wrappedh_t_t_p_ListenerRequest h_t_t_p_Request)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(Wrappedh_t_t_p_ListenerRequest request, ProtocolContext& protocolContext)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(Wrappedh_t_t_p_ListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(Wrappedh_t_t_p_ListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(Wrappedh_t_t_p_ListenerContext context)
Encountered error during federation passive request.
Additional Data
Protocol Name:
SamlRelying Party:
hostException details:
System.UriFormatException: Invalid URI: The format of the URI could not be determined.
at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlSignInContext.ValidateCore()
at Microsoft.IdentityServer.Web.Protocols.ProtocolContext.Validate()
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetRequiredPipelineBehaviors(ProtocolContext pContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.EvaluateHomeRealm(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(Wrappedh_t_t_p_ListenerContext context)The request specified an Assertion Consumer Service URL âh_t_t_p_://host.pl.local-ad:5600/ror_kbn_sso/assertâ that is not configured on the relying party âmicrosoft:identityserver:hostâ.
Assertion Consumer Service URL: h_t_t_p_://host.pl.local-ad:5600/ror_kbn_sso/assert
Relying party: microsoft:identityserver:hostThis request failed.
User Action
Use the AD FS Management snap-in to configure an Assertion Consumer Service with the specified URL for this relying party
Thanks in advance!
Patryk