SAML integration - redirect back to kibana-assertion - failing


(velmurugan baskaran) #1

Integrated readOnlyrest -saml with IDM and it is failing after directing from IDM; steps

  1. Enabled SAML integration in Kibana-readonly rest
  2. Clicked - Enter using SAML SSO
  3. Page now redirected to IDP
  4. Authentication completed and got the valid response back from IDP.
  5. Redirected to the kibana-assert url and it is failing; it states "Could not login: "Unauthorized (401) "

Here are the config details. please check and assist.

readonlyrest.yml

readonlyrest:
    access_control_rules:

    - name: "::KIBANA-SRV::"
      auth_key: user:password

    - name: "ReadonlyREST Enterprise instance #1"
      ror_kbn_auth:
        name: "kbn1"

    ror_kbn:
    - name: kbn1
      signature_key: "iupdatedthissignaturekey"

kibana.yml:

 xpack.security.enabled: false
 readonlyrest_kbn.auth:
   signature_key: "* *iupdatedthissignaturekey* *"
   saml:
     enabled: true
     entryPoint: 'endpoint'*
     kibanaExternalHost: 'localhost:5601/ror_kbn_sso/assert'
     usernameParameter: 'email'
     groupsParameter: 'memberOf'
     logoutUrl: ' *https://sso-localtest.fi/uas/saml2/sp/SingleLogoutService*'

SAML -response: Attributes

<saml:AttributeStatement>
<saml:Attribute Name=“roles” NameFormat=“urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified”>
<saml:AttributeValue xmlns:xs="" xmlns:xsi="" xsi:type=“xs:string”>dna_users/User</saml:AttributeValue>
<saml:AttributeValue xmlns:xs=""" xsi:type=“xs:string”>dna_users/OrganizationMainUser</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name=“email” NameFormat=“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”>
<saml:AttributeValue xmlns:xs="" xmlns:xsi="" xsi:type=“xs:string”>[email protected]</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>

Thank you.


(Simone Scarduzio) #2

This is wrong, it should have no paths.

I have this:

kibanaExternalHost: 'localhost:5601'

(velmurugan baskaran) #3

Thank you, Simone. It works :slight_smile: