SAML integration

Hello guys,

I need help! I configured readonlyrest.yml and kibana.yml as in documentation guided. It starts fine without any errors, but I can’t see any SAML button on the Kibana login screen. I don’t know where I can see an issue.

Btw LDAP auth works fine.

Could you help me?

kibana.yml
elasticsearch.username: “user”
elasticsearch.password: “password”
elasticsearch.ssl.verificationMode: none
logging.quiet: true
server.port: 5601
readonlyrest_kbn:
logLevel: “debug”
__auth:
____signature_key: ‘HEREIS256LENGHTKEY’
____saml:
______enabled: true
______issuer: ‘42a64855-8687-4602-947d-728f90a9b1f4’
______buttonName: “Partners SSO Login”
______entryPoint: ‘https://oidc.provider.local/auth/realms/master/protocol/saml
______kibanaExternalHost: ‘kibana.test.local’
______protocol: http
______usernameParameter: “nameID”
______groupsParameter: “Role”
______logoutUrl: ‘https://oidc.provider.local/auth/realms/master/broker/saml/endpoint

readonlyrest.yml:
readonlyrest:
__enable: true
__audit_collector: false
__response_if_req_forbidden: “Message”

__- name: “Require HTTP Basic Auth”
___type: allow
___auth_key: user:password

__- name: “ReadonlyREST Enterprise instance #1
___ror_kbn_auth:
___name: “kbn1”

__ror_kbn:
__- name: kbn1
___signature_key: ‘HEREIS256LENGHTKEY’

Hello @Maligos,

First of all, no need to use the underscore, we have the code button in the forum editor to preserve the indentation :slight_smile:

In your kibana.yml:

logLevel should be indented to the same level of “auth”.

For reference, this is my dev environment configuration file, maybe it’s useful for inspiration:

readonlyrest_kbn:
  clearSessionOnEvents: ["login"]
  session_timeout_minutes: 99999
  cookiePass: "12345678901234567890123456789012"
  logLevel: debug
  auth:
    signature_key: "my_shared_secret_kibana1_(min 256 chars)my_shared_secret_kibana1_(min 256 chars)my_shared_secret_kibana1_(min 256 chars)my_shared_secret_kibana1_(min 256 chars)" # <- use environmental variables for better security!
   
    saml:
      #type: saml
      enabled: false
      buttonName: 'Employees SAML SSO'
      issuer: 'ror'
      entryPoint: 'http://localhost:8080/simplesaml/saml2/idp/SSOService.php'
      kibanaExternalHost: 'localhost:5601' # <-- public URL used by the Identity Provider to call back Kibana with the "assertion" message
      usernameParameter: 'email'
      groupsParameter: 'eduPersonAffiliation'
      logoutUrl: 'http://localhost:8080/simplesaml/saml2/idp/SingleLogoutService.php'
   
    saml2:
      buttonName: 'Partners SAML SSO'
      enabled: false
      type: saml
      issuer: 'ror'
      entryPoint: 'http://localhost:8080/simplesaml/saml2/idp/SSOService.php'
      kibanaExternalHost: 'localhost:5601' # <-- public URL used by the Identity Provider to call back Kibana with the "assertion" message
      usernameParameter: 'email'
      groupsParameter: 'eduPersonAffiliation'
      logoutUrl: 'http://localhost:8080/simplesaml/saml2/idp/SingleLogoutService.php'
    saml_kc:
      buttonName: 'KeyCloak SAML SSO'
      enabled: true
      type: saml
      issuer: 'ror'
     # entryPoint: 'http://127.0.0.1:8080/auth/realms/master/broker/saml/endpoint'
      entryPoint: 'http://127.0.0.1:8080/auth/realms/master/protocol/saml'
      kibanaExternalHost: 'localhost:5601' # <-- public URL used by the Identity Provider to call back Kibana with the "assertion" message
      usernameParameter: 'nameID'
      groupsParameter: 'Role'
      logoutUrl: 'http://127.0.0.1:8080/auth/realms/master/broker/saml/endpoint'


# Kibana is served by a back end server. This setting specifies the port to use.
#server.port: 5601

# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
#server.host: "localhost"

# Enables you to specify a path to mount Kibana at if you are running behind a proxy.
# Use the `server.rewriteBasePath` setting to tell Kibana if it should remove the basePath
# from requests it receives, and to prevent a deprecation warning at startup.
# This setting cannot end in a slash.
#server.basePath: ""

# Specifies whether Kibana should rewrite requests that are prefixed with
# `server.basePath` or require that they are rewritten by your reverse proxy.
# This setting was effectively always `false` before Kibana 6.3 and will
# default to `true` starting in Kibana 7.0.
#server.rewriteBasePath: false

# The maximum payload size in bytes for incoming server requests.
#server.maxPayloadBytes: 1048576

# The Kibana server's name.  This is used for display purposes.
#server.name: "your-hostname"

# The URLs of the Elasticsearch instances to use for all your queries.
#elasticsearch.hosts: ["http://localhost:9200"]

# When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
# that connects to this Kibana instance.
#elasticsearch.preserveHost: true

# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
# dashboards. Kibana creates a new index if the index doesn't already exist.
#kibana.index: ".kibana"

# The default application to load.
#kibana.defaultAppId: "home"

# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
#elasticsearch.username: "user"
#elasticsearch.password: "pass"

# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key

# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files validate that your Elasticsearch backend uses the same key files.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key

# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]

# To disregard the validity of SSL certificates, change this setting's value to 'none'.
#elasticsearch.ssl.verificationMode: none

# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500

# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000

# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]

Thank you @sscarduzio! Unfortunately, nothing changed(
Maybe this screenshot will be helpful for investigation?

BTW, ELK version is 6.7.1(oss), ROR 1.18.1

Hi @Maligos,

Yes that’s a bug :frowning:

Fixed it in master, will prepare a pre release for you to test.

@sscarduzio Thank you! Looking forward to it. It is very important to us.

1 Like

Please try this:

https://readonlyrest-data.s3-eu-west-1.amazonaws.com/tmp/readonlyrest_kbn_enterprise-1.18.2-pre1-20190615_es6.7.1.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJEKIPNTOTIVGQ4EQ/20190615/eu-west-1/s3/aws4_request&X-Amz-Date=20190615T095726Z&X-Amz-Expires=604800&X-Amz-SignedHeaders=host&X-Amz-Signature=24f7007d96e6a1b48d65dcb8cb4a208672db89745255669c3cbd06f663b344f0

1 Like

@sscarduzio Thank you! It works!

1 Like