I need help! I configured readonlyrest.yml and kibana.yml as in documentation guided. It starts fine without any errors, but I can’t see any SAML button on the Kibana login screen. I don’t know where I can see an issue.
First of all, no need to use the underscore, we have the code button in the forum editor to preserve the indentation
In your kibana.yml:
logLevel should be indented to the same level of “auth”.
For reference, this is my dev environment configuration file, maybe it’s useful for inspiration:
readonlyrest_kbn:
clearSessionOnEvents: ["login"]
session_timeout_minutes: 99999
cookiePass: "12345678901234567890123456789012"
logLevel: debug
auth:
signature_key: "my_shared_secret_kibana1_(min 256 chars)my_shared_secret_kibana1_(min 256 chars)my_shared_secret_kibana1_(min 256 chars)my_shared_secret_kibana1_(min 256 chars)" # <- use environmental variables for better security!
saml:
#type: saml
enabled: false
buttonName: 'Employees SAML SSO'
issuer: 'ror'
entryPoint: 'http://localhost:8080/simplesaml/saml2/idp/SSOService.php'
kibanaExternalHost: 'localhost:5601' # <-- public URL used by the Identity Provider to call back Kibana with the "assertion" message
usernameParameter: 'email'
groupsParameter: 'eduPersonAffiliation'
logoutUrl: 'http://localhost:8080/simplesaml/saml2/idp/SingleLogoutService.php'
saml2:
buttonName: 'Partners SAML SSO'
enabled: false
type: saml
issuer: 'ror'
entryPoint: 'http://localhost:8080/simplesaml/saml2/idp/SSOService.php'
kibanaExternalHost: 'localhost:5601' # <-- public URL used by the Identity Provider to call back Kibana with the "assertion" message
usernameParameter: 'email'
groupsParameter: 'eduPersonAffiliation'
logoutUrl: 'http://localhost:8080/simplesaml/saml2/idp/SingleLogoutService.php'
saml_kc:
buttonName: 'KeyCloak SAML SSO'
enabled: true
type: saml
issuer: 'ror'
# entryPoint: 'http://127.0.0.1:8080/auth/realms/master/broker/saml/endpoint'
entryPoint: 'http://127.0.0.1:8080/auth/realms/master/protocol/saml'
kibanaExternalHost: 'localhost:5601' # <-- public URL used by the Identity Provider to call back Kibana with the "assertion" message
usernameParameter: 'nameID'
groupsParameter: 'Role'
logoutUrl: 'http://127.0.0.1:8080/auth/realms/master/broker/saml/endpoint'
# Kibana is served by a back end server. This setting specifies the port to use.
#server.port: 5601
# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: "localhost"
# Enables you to specify a path to mount Kibana at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
#server.basePath: ""
# Specifies whether Kibana should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# This setting was effectively always `false` before Kibana 6.3 and will
# default to `true` starting in Kibana 7.0.
#server.rewriteBasePath: false
# The maximum payload size in bytes for incoming server requests.
#server.maxPayloadBytes: 1048576
# The Kibana server's name. This is used for display purposes.
#server.name: "your-hostname"
# The URLs of the Elasticsearch instances to use for all your queries.
#elasticsearch.hosts: ["http://localhost:9200"]
# When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
# that connects to this Kibana instance.
#elasticsearch.preserveHost: true
# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
# dashboards. Kibana creates a new index if the index doesn't already exist.
#kibana.index: ".kibana"
# The default application to load.
#kibana.defaultAppId: "home"
# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
#elasticsearch.username: "user"
#elasticsearch.password: "pass"
# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key
# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files validate that your Elasticsearch backend uses the same key files.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
# To disregard the validity of SSL certificates, change this setting's value to 'none'.
#elasticsearch.ssl.verificationMode: none
# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500
# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000
# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]