SAML issues with Azure AD

mahlimo · October 1, 2024, 1:03pm

Hi!

We are currently facing two SAML issue with Kibana/ES version 8.7.1 and RoR 1.48 (+ Azure AD):

When the user is previously logged with other authentication methods RoR will just reject the authentication and we get a message like:

AADSTS75011: Authentication method ‘X509, MultiFactor’ by which the user authenticated with the service doesn’t match requested authentication method ‘Password, ProtectedTransport’. Contact the application owner.

How can we set the valid authentication methods in Readonly. It should be controlled with the parameter RequestedAuthnContext but there is nothing I can see in the doc.

The second problem is that whatever we try once we have the right Authentication method, we always get [error][plugins][ReadonlyREST][samlRouterFactory] saml_azure error: Error: Invalid signature
We have check the cert.pem path which is fine (content too) and the ssl certificate at the same place is read without issue. We really don’t understand what may cause this issue. Any hint will be greatly appreciated.

Dzuming · October 1, 2024, 5:57pm

Hello @mahlimo

When the user is previously logged with other authentication methods RoR will just reject the authentication and we get a message like:
AADSTS75011: Authentication method ‘X509, MultiFactor’ by which the user authenticated with the service doesn’t match requested authentication method ‘Password, ProtectedTransport’. Contact the application owner.

If I understand correctly, based on the error description and proposed resolution, this value should be removed

RequestedAuthnContext is an optional value. If possible, ask the application if the value could be removed.

Currently, we don’t allow to set this flag, however as I see, it’s possible. I can prepare a pre-release build with an option to disable it

The second problem is that whatever we try once we have the right Authentication method, we always get [error][plugins][ReadonlyREST][samlRouterFactory] saml_azure error: Error: Invalid signature

Could you send all Kibana logs? Based on the docs cert file should be the base64 version of the certificate. Could you confirm it?

The cert is an absolute path to the base64 version of the certificate ReadonlyREST Enterprise will use to verify the signature of the SAML assertion coming from Azure AD. This file can be downloaded from : (3) SAML Signing Certificate > Certificate (Base64)

mahlimo · October 2, 2024, 10:07am

That would be great to be able to either be able to control the Authentication context or to disable it completely as we are using more complex strategies than just password authentication.

I will be glad to send you the kibana logs and config but what is the best way to procede?

Dzuming · October 2, 2024, 5:06pm

You can send it as a private message via forum or email

mahlimo · October 3, 2024, 2:17pm

Here it is:
Error logs :

[14:08:04:661] [error][plugins][ReadonlyREST][samlRouterFactory] saml_azure error: Error: Invalid signature
at SAML.validatePostResponseAsync ^[[90m(/usr/share/kibana/^[[39mplugins/readonlyrestkbn/node_modules/^[[4mpassport-saml^[[24m/src/node-saml/saml.ts:792:17^[[90m)^[[39m
at runMicrotasks ()
^[[90m at processTicksAndRejections (node:internal/process/task_queues:96:5)^[[39m

Configuration kibana.yml :

readonlyrest_kbn:
cookiePass: ‘XXX’
logLevel: debug
clearSessionOnEvents: [“login”]
store_sessions_in_index: true
login_title: “
ES8 Kudelski Corp Cluster”
whitelistedPaths: [“/api/stats$”]
login_custom_logo: ‘https://www.xxxx.com/image.svg’

auth:
signature_key: “XXXXXX”

saml_azure:
  buttonName: 'Azure AD SSO'
  enabled: true
  type: saml
  issuer: 'ror'
  protocol: 'https'
  cert: '/usr/share/kibana/config/cert.pem' # <-- will download later from Azure enterprise app dashboard
  entryPoint: 'https://login.microsoftonline.com/e5733095-4425-4f08-b6ba-487b9a46xxx5/saml2'
  kibanaExternalHost: 'kibana.xxxx.com'
  usernameParameter: 'http://schemas.microsoft.com/identity/claims/displayname'
  groupsParameter: 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groups'
  logoutUrl: 'https://login.microsoftonline.com/e5733095-4425-4f08-b6baxxxxx/saml2'

Readonly configuration settings:

ror_kbn:

name: kbn1
signature_key: " XXXXXX”

access_control_rules:

name: “ReadonlyREST Enterprise sessions”
ror_kbn_auth:
name: “kbn1”

Dzuming · October 6, 2024, 7:03am

Hi @mahlimo

I sent you a private message with a pre-release build and a description of how to configure new SAML options.