SAML configuration

1

Hi.

I am testing the SAML integration of the Enterprise version of Kibana Plugin. My current setup is:

  • Elasticsearch 7.16.1
  • Kibaba 7.16.1
  • Elasticsearch ROR plugin readonlyrest-1.39.0_es7.17.3.zip
  • Kibana ROR plugin readonlyrest_kbn_enterprise-1.43.0-20220902_es7.16.1.zip
  • keycloak 19.0.2

The content of kibana.yaml:

readonlyrest_kbn.auth:
  signature_key: "long key"
  saml_serv1:
    enabled: true
    type: saml
    issuer: ror
    buttonName: "Partner's SSO Login"
    entryPoint: 'http://localhost:8081/realms/LDAP/broker/saml/endpoint'
    kibanaExternalHost: 'vkibana.obs'
    protocol: https
    usernameParameter: 'nameID'
    groupsParameter: 'memberOf'
    logoutUrl: 'idp logout url'
    cert: 'path/to/idp/certificate'

And the contet of readonlyrest.yaml:

readonlyrest:
  audit_collector: true
  audit_index_template: "'readonlyrest_audit'-yyyy"
  prompt_for_basic_auth: true
  ssl:
    enable: true
    keystore_file: keystore.jks
    keystore_pass: changeme
    key_pass: changeme
  response_if_req_forbidden: Access forbidden
  access_control_rules:
  - name: "::KIBANA-SRV::"
    auth_key: kibana:kibana
    kibana_access: admin
    indices: ["*"]
    verbosity: error
  - name: "ReadonlyREST Enterprise instance #1"
    ror_kbn_auth:
      name: "kbn1"
    verbosity: error

  ror_kbn:
  - name: kbn1
    signature_key: "long key"

On the browser, this is the login page shown:

image
image1600×724 54.2 KB

And after submitting valid credentials, this is the result:
image

From the browser console, no attempts to reach the IdP are shown:

image
image702×96 7.38 KB

The logs from elasticsearch:

{"type": "server", "timestamp": "2022-09-22T17:15:38,916Z", "level": "INFO", "component": "t.b.r.c.l.ConfigLoadingInterpreter$", "cluster.name": "piab-cluster", "node.name": "node-piab", "message": "[CLUSTERWIDE SETTINGS] Loading ReadonlyREST settings from index (.readonlyrest) ...", "cluster.uuid": "2FdkiYsAQi2GOfjynLv_rA", "node.id": "Ob8Tn75WTY-V_3vsCK1ipg"  }
...
{"type": "server", "timestamp": "2022-09-22T17:15:39,254Z", "level": "WARN", "component": "t.b.r.e.IndexLevelActionFilter", "cluster.name": "piab-cluster", "node.name": "node-piab", "message": "[486554789-2063101315#90] Cannot handle the request /_nodes because ReadonlyREST hasn't started yet", "cluster.uuid": "2FdkiYsAQi2GOfjynLv_rA", "node.id": "Ob8Tn75WTY-V_3vsCK1ipg"  }
...
{"type": "server", "timestamp": "2022-09-22T17:16:04,239Z", "level": "INFO", "component": "t.b.r.a.f.RawRorConfigBasedCoreFactory", "cluster.name": "piab-cluster", "node.name": "node-piab", "message": "ADDING BLOCK:\t{ name: 'ReadonlyREST Enterprise instance #1', policy: ALLOW, rules: [ror_kbn_auth]", "cluster.uuid": "2FdkiYsAQi2GOfjynLv_rA", "node.id": "Ob8Tn75WTY-V_3vsCK1ipg"  }
{"type": "server", "timestamp": "2022-09-22T17:16:04,254Z", "level": "INFO", "component": "t.b.r.b.RorInstance", "cluster.name": "piab-cluster", "node.name": "node-piab", "message": "ReadonlyREST core was loaded ...", "cluster.uuid": "2FdkiYsAQi2GOfjynLv_rA", "node.id": "Ob8Tn75WTY-V_3vsCK1ipg"  }
...
{"type": "server", "timestamp": "2022-09-22T17:38:58,591Z", "level": "INFO", "component": "t.b.r.a.l.AccessControlLoggingDecorator", "cluster.name": "piab-cluster", "node.name": "node-piab", "message": "\u001B[35mFORBIDDEN by default req={ ID:1376486176-386471685#4693, TYP:RRUserMetadataRequest, CGR:N/A, USR:[no info about user], BRS:true, KDX:null, ACT:cluster:ror/user_metadata/get, OA:10.191.1.59/32, XFF:null, DA:10.191.1.58/32, IDX:<N/A>, MET:GET, PTH:/_readonlyrest/metadata/current_user, CNT:<N/A>, HDR:Accept-Encoding=gzip,deflate, Accept=*/*, Connection=close, Host=velasticsearch:9200, User-Agent=node-fetch/1.0 (+https://github.com/bitinn/node-fetch), content-length=0, HIS:[::KIBANA-SRV::-> RULES:[auth_key->false]], [ReadonlyREST Enterprise instance #1-> RULES:[ror_kbn_auth->false]], }\u001B[0m", "cluster.uuid": "2FdkiYsAQi2GOfjynLv_rA", "node.id": "Ob8Tn75WTY-V_3vsCK1ipg"  }
{"type": "server", "timestamp": "2022-09-22T17:38:59,179Z", "level": "INFO", "component": "t.b.r.a.l.AccessControlLoggingDecorator", "cluster.name": "piab-cluster", "node.name": "node-piab", "message": "\u001B[35mFORBIDDEN by default req={ ID:1935410978-209393980#4694, TYP:NodesInfoRequest, CGR:N/A, USR:kibana_system (attempted), BRS:true, KDX:null, ACT:cluster:monitor/nodes/info, OA:10.191.1.59/32, XFF:null, DA:10.191.1.58/32, IDX:<N/A>, MET:GET, PTH:/_nodes, CNT:<N/A>, HDR:Accept-Charset=utf-8, Authorization=<OMITTED>, Host=velasticsearch:9200, connection=close, content-length=0, user-agent=elasticsearch-js/7.16.0-canary.7 (linux 5.14.0-1051-oem-x64; Node.js v16.13.0), x-elastic-client-meta=es=7.16.0p,js=16.13.0,t=7.16.0p,hc=16.13.0, x-elastic-product-origin=kibana, HIS:[::KIBANA-SRV::-> RULES:[auth_key->false]], [ReadonlyREST Enterprise instance #1-> RULES:[ror_kbn_auth->false]], }\u001B[0m", "cluster.uuid": "2FdkiYsAQi2GOfjynLv_rA", "node.id": "Ob8Tn75WTY-V_3vsCK1ipg"  }

The current setup works fine with LDAP authentication.

Thanks in advance

2

The issue is in kibana.yml because the login with SAML button does not show as it should.

Could be some indentation issue. Please set the ROR plugin in trace mode and look for the line with the JSON transcription of the configuration.

readonlyrest_kbn:
    logLevel: 'trace'

This is the screenshot from our integration tests, and the extra SAML/OIDC button does show

image
image1766×912 53.6 KB 



This is our JSON translation log line, see how it's structured.
 
[07:42:40:738] [trace][plugins][ReadonlyREST][kibanaConfigInterceptor] Found configuration object:
 {
  "server": {
    "host": "0.0.0.0",
    "port": 5601,
    "ssl": {
      "enabled": true,
      "certificate": "/etc/cert/localhost.cer",
      "key": "/etc/cert/localhost.key"
    }
  },
  "elasticsearch": {
    "ssl": {
      "verificationMode": "none"
    },
    "pingTimeout": 3000,
    "requestTimeout": 30000,
    "hosts": [
      "http://localhost:9200"
    ],
    "username": "kibana",
    "password": "kibana"
  },
  "csp": {
    "strict": false
  },
  "xpack": {
    "encryptedSavedObjects": {
      "encryptionKey": "19+230i1902i310293213i109312i31209302193219039120i3j23h31h3h213h123!"
    }
  },
  "telemetry": {
    "enabled": false
  },
  "readonlyrest_kbn": {
    "cookiePass": "12312313123213123213123adadasdasdasd",
    "logLevel": "trace",
    "whitelistedPaths": [
      ".*/api/status$"
    ],
    "clearSessionOnEvents": [
      "login",
      "tenancyHop"
    ],
    "sessions_probe_interval_seconds": 60,
    "store_sessions_in_index": true,
    "login_title": "Custom Title!",
    "login_subtitle": "PRO/Enteprise: You should see a red border, a tiny unicorn logo, a two column page, and this text. You should see none of these customisation when testing ROR Free.",
    "login_custom_logo": "https://i.imgur.com/MdRBUfV.gif",
    "login_html_head_inject": "<style> body { border: 3px solid red; }</style>",
    "auth": {
      "signature_key": "9yzBfnLaTYLfGPzyKW9es76RKYhUVgmuv6ZtehaScj5msGpBpa5FWpwk295uJYaaffTFnQC5tsknh2AguVDaTrqCLfM5zCTqdE4UGNL73h28Bg4dPrvTAFQyygQqv4xfgnevBED6VZYdfjXAQLc8J8ywaHQQSmprZqYCWGE6sM3vzNUEWWB3kmGrEKa4sGbXhmXZCvL6NDnEJhXPDJAzu9BMQxn8CzVLqrx6BxDgPYF8gZCxtyxMckXwCaYXrxAGbjkYH69F4wYhuAdHSWgRAQCuWwYmWCA6g39j4VPge5pv962XYvxwJpvn23Y5KvNZ5S5c6crdG4f4gTCXnU36x92fKMQzsQV9K4phcuNvMWkpqVB6xMA5aPzUeHcGytD93dG8D52P5BxsgaJJE6QqDrk3Y2vyLw9ZEbJhPRJxbuBKVCBtVx26Ldd46dq5eyyzmNEyQGLrjQ4qd978VtG8TNT5rkn4ETJQEju5HfCBbjm3urGLFVqxhGVawecT4YM9Rry4EqXWkRJGTFQWQRnweUFbKNbVTC9NxcXEp6K5rSPEy9trb5UYLYhhMJ9fWSBMuenGRjNSJxeurMRCaxPpNppBLFnp8qW5ezfHgCBpEjkSNNzP4uXMZFAXmdUfJ8XQdPTWuYfdHYc5TZWnzrdq9wcfFQRDpDB2zX5Myu96krDt9vA7wNKfYwkSczA6qUQV66jA8nV4Cs38cDAKVBXnxz22ddAVrPv8ajpu7hgBtULMURjvLt94Nc5FDKw79CTTQxffWEj9BJCDCpQnTufmT8xenywwVJvtj49yv2MP2mGECrVDRmcGUAYBKR8G6ZnFAYDVC9UhY46FGWDcyVX3HKwgtHeb45Ww7dsW8JdMnZYctaEU585GZmqTJp2LcAWRcQPH25JewnPX8pjzVpJNcy7avfA2bcU86bfASvQBDUCrhjgRmK2ECR6vzPwTsYKRgFrDqb62FeMdrKgJ9vKs435T5ACN7MNtdRXHQ4fj5pNpUMDW26Wd7tt9bkBTqEGf",
      "saml_kc": {
        "buttonName": "KeyCloak SAML SSO",
        "enabled": true,
        "type": "saml",
        "issuer": "ror",
        "entryPoint": "http://localhost:8080/auth/realms/ror/protocol/saml",
        "kibanaExternalHost": "localhost:5601",
        "protocol": "https",
        "usernameParameter": "nameID",
        "groupsParameter": "Role",
        "logoutUrl": "http://localhost:8080/auth/realms/ror/protocol/saml",
        "YOU_SHOULD_READ_ME_IN_STRATEGY_CONFIGURATION_LOG": "unknown conf params should be passed unmodified to the underlying passport-saml library",
        "cert": "PLACEHOLDER_TO_CHANGE_INTO_REAL_KEYCLOAK_CERTIFICATE"
      },
      "oidc_kc": {
        "buttonName": "KeyCloak OpenID",
        "type": "oidc",
        "protocol": "https",
        "issuer": "http://kc.localhost:8080/auth/realms/ror",
        "authorizationURL": "http://kc.localhost:8080/auth/realms/ror/protocol/openid-connect/auth",
        "tokenURL": "http://kc.localhost:8080/auth/realms/ror/protocol/openid-connect/token",
        "userInfoURL": "http://kc.localhost:8080/auth/realms/ror/protocol/openid-connect/userinfo",
        "clientID": "ror_oidc",
        "clientSecret": "ff53392b-bcae-4f19-8891-1f39fb121df8",
        "scope": "openid profile roles role_list_oidc email",
        "usernameParameter": "preferred_username",
        "groupsParameter": "groups",
        "kibanaExternalHost": "localhost:5601",
        "logoutUrl": "http://kc.localhost:8080/auth/realms/ror/protocol/openid-connect/logout",
        "jwksURL": "http://kc.localhost:8080/auth/realms/ror/protocol/openid-connect/certs"
      }
    }
  },
  "plugins": {
    "paths": []
  }
}```
3

Hi @sscarduzio

I made a fresh complete install and now it seems to be working. At least the Kibana plugin part. Now I have to finish the configuration on the IdP.

Thanks

1 Like