Problem with SAML SSO button redirection to ADFS

Patryk491 · January 25, 2019, 2:20pm

Hi,

We are trying to set up our test cluster using Kibana & Elasticsearch plugin with AD Federation Services via SAML.
We followed instructions from readonlyrest-docs and achieved partial success.
For now, we have working cluster with SAML authentication but only when we start from ADFS signon page.

And we have no idea how to configure it further to get valid redirection from Kibana logon page to ADFS signon page using SAML SSO button.

What are we doing wrong?

Kibana.yml

readonlyrest_kbn.auth:
saml:
enabled: true
entryPoint: ‘h_t_t_p_s://adfs.pl.local-ad/adfs/ls/idpinitiatedsignon.aspx’
privateCert: ‘/etc/pki/host/host.key’
cert: ‘/etc/kibana/certs/adfs.pl.local-ad.crt’
authnContext: ‘h_t_t_p_://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows’
kibanaExternalHost: ‘host.pl.local-ad’ # ← public URL used by the Identity Provider to call back Kibana with the “assertion” message
usernameParameter: “h_t_t_p_://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” # ‘nameID’
groupsParameter: “h_t_t_p_://schemas.xmlsoap.org/claims/Group”
signature_key: “123456.123456.123456.123456.123456.123456.123456.123456.123456.123456.123456.123456.123456.123456.123456.123456”

SAML Token:

<?xml version="1.0"?>
<samlp:AuthnRequest xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol” ID=“0b2e9f152008c25b8359" Version=“2.0” IssueInstant=“2019-01-25T12:39:27.131Z” ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:h_t_t_p-POST” AssertionConsumerServiceURL=“h_t_t_p_://host.pl.local-ad/ror_kbn_sso/assert” Destination=“h_t_t_p_s://adfs.pl.local-ad/adfs/ls/idpinitiatedsignon.aspx”>
<saml:Issuer xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>onelogin_saml</saml:Issuer>
<samlp:NameIDPolicy xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol” Format=“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress” AllowCreate=“true”/>
<samlp:RequestedAuthnContext xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol” Comparison=“exact”>
<saml:AuthnContextClassRef xmlns:saml=“urn:oasis:names:tc:SAML:2.0:assertion”>h_t_t_p_://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/windows</saml:AuthnContextClassRef>
</samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Info from ADFS logs:

Encountered error during federation passive request.

Additional Data

Protocol Name:

Relying Party:

Exception details:
System.FormatException: The input is not a valid Base-64 string as it contains a non-base 64 character, more than two padding characters, or an illegal character among the padding characters.
at System.Convert.FromBase64_Decode(Char* startInputPtr, Int32 inputLength, Byte* startDestPtr, Int32 destLength)
at System.Convert.FromBase64CharPtr(Char* inputPtr, Int32 inputLength)
at System.Convert.FromBase64String(String s)
at Microsoft.IdentityServer.Protocols.Saml.h_t_t_p_SamlBindingSerializer.DecodeMessageInternal(String message)
at Microsoft.IdentityServer.Protocols.Saml.h_t_t_p_SamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
at Microsoft.IdentityServer.Protocols.Saml.h_t_t_p_SamlBindingSerializer.CreateFromNameValueCollection(Uri baseUrl, NameValueCollection collection)
at Microsoft.IdentityServer.Protocols.Saml.h_t_t_p_RedirectSamlBindingSerializer.ReadMessage(Uri requestUrl, NameValueCollection form)
at Microsoft.IdentityServer.Web.Protocols.Saml.h_t_t_p_SamlMessageFactory.CreateMessage(Wrappedh_t_t_p_ListenerRequest h_t_t_p_Request)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(Wrappedh_t_t_p_ListenerRequest request, ProtocolContext& protocolContext)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(Wrappedh_t_t_p_ListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(Wrappedh_t_t_p_ListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(Wrappedh_t_t_p_ListenerContext context)

Encountered error during federation passive request.

Additional Data

Protocol Name:
Saml

Relying Party:
host

Exception details:
System.UriFormatException: Invalid URI: The format of the URI could not be determined.
at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlSignInContext.ValidateCore()
at Microsoft.IdentityServer.Web.Protocols.ProtocolContext.Validate()
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.GetRequiredPipelineBehaviors(ProtocolContext pContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.EvaluateHomeRealm(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(Wrappedh_t_t_p_ListenerContext context)

The request specified an Assertion Consumer Service URL ‘h_t_t_p_://host.pl.local-ad:5600/ror_kbn_sso/assert’ that is not configured on the relying party ‘microsoft:identityserver:host’.
Assertion Consumer Service URL: h_t_t_p_://host.pl.local-ad:5600/ror_kbn_sso/assert
Relying party: microsoft:identityserver:host

This request failed.

User Action
Use the AD FS Management snap-in to configure an Assertion Consumer Service with the specified URL for this relying party

Thanks in advance!
Patryk

sscarduzio · January 25, 2019, 3:53pm

Hi @Patryk491, we recently noticed that the URL in the button applies two times the URLEncoding. This is a bug we are at work with now.

Patryk491 · January 28, 2019, 12:05pm

Thanks for the answer, how long will it take you to prepare the fix?

sscarduzio · January 28, 2019, 12:07pm

Hi @Patryk491,

We have a hofix release available. What version of Kibana/ReadonlyREST are you currently using? Will provide the test build in private.

Patryk491 · January 28, 2019, 12:30pm

That’s awesome
We have:
ror 1.16.33
kibana 6.4.2

sscarduzio · January 31, 2019, 5:04pm

So the double encoding issue is fixed according to @Patryk491, now there is another issue such that we get this double “http://https” URL in the SAMLRequest XML.

'AssertionConsumerServiceURL=“[http://https](http://https/)://hostA.pl.local-ad:5600/ror_kbn_sso/assert”

So the idea is to avoid using the “https://” in the “kibanaExternalHost” and use the “protocol” setting so that ROR will compose the URLs correctly.

For example, this is how I have it configured:

readonlyrest_kbn.auth:
  signature_key: "sharedsecret123456"
  saml:
    enabled: true
    protocol: 'https'  # <--- use this
    kibanaExternalHost: 'ror-test.localtunnel.me' # <--- no URL schema
    entryPoint: 'https://idp-domain/myapp/sso/saml' 
    logoutUrl: 'https://idp-domain/myapp/slo/saml' 
    usernameParameter: 'nameID'
    groupsParameter: 'memberOf'

Patryk491 · February 1, 2019, 1:14pm

Thanks Simone, this change helped