[samlController] Obtained user name from profile: undefined

Hi

I have just configured a Kibana instance to authenticate the users using SAML.

image

This is the Kibana configuration:

readonlyrest_kbn.auth:
  signature_key: "key"
  saml_serv1:
    enabled: true
    type: saml
    issuer: https://kibanaurl/
    buttonName: "Keycloak"
    entryPoint: 'https://entrypointurl'
    kibanaExternalHost: kibana
    protocol: https
    usernameParameter: 'NameID'
    groupsParameter: 'memberOf'
    logoutUrl: 'https://logouturl'
    cert: 'certificate'

And this is the Elasticsearch configuration:

    access_control_rules:
    - name: "Keycloak"
      type: allow
      kibana_access: admin
      ror_kbn_auth:
        name: "keycloak"
      indices: ["*"]

....

    ror_kbn:
    - name: keycloak
      signature_key: "key"

But when the users tries to access Kibana, after authenticating against Keycloak, they are sent to the login form.

On the Kibana logs:

[15:09:13:373] [debug][plugins][ReadonlyREST][samlController] Obtained user name from profile: undefined
[15:09:13:373] [debug][plugins][ReadonlyREST][samlController] Obtained groups from profile: 
[15:09:13:373] [debug][plugins][ReadonlyREST][samlController] Created JWT for ROR with claims: {"groups":[],"assertion":{"issuer":"https://issuer","inResponseTo":"XXX","sessionIndex":"XXX","nameID":"[email protected]","nameIDFormat":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress","Role":"offline_access"},"x-ror-origin":"saml_serv1"}, (size: 631 of 8185 Bytes))
[15:09:13:695] [debug][plugins][ReadonlyREST][legacyRenderer] Fetching frontend dependency: /usr/share/kibana/plugins/readonlyrestkbn/proxy/preKibanaProxy/auth/../../../node_modules/jquery/dist/jquery.min.js
[15:09:14:124] [info][plugins][ReadonlyREST][authController] Could not login in: Empty metadata

Any ideas?

Thanks in advance

Hi @gustavo.yoshizaki, the string “NameID” is configured as usernameParameter, whereas the assertion has “nameID”.

Hi @sscarduzio

Thanks for the quick reply. Silly me, there was a typo. However, it did not fix the issue:

[23:23:35:519] [debug][plugins][ReadonlyREST][samlController] Obtained user name from profile: [email protected]
[23:23:35:519] [debug][plugins][ReadonlyREST][samlController] Obtained groups from profile: 
[23:23:35:519] [debug][plugins][ReadonlyREST][samlController] Created JWT for ROR with claims: {"user":"[email protected]","groups":[],"assertion":{"issuer":"https://keycloak-il01.xcade.net/realms/LDAP","inResponseTo":"_9ffb3fa5ae5b845241e1","sessionIndex":"9dfa38cb-6eb0-4c63-9582-e6d5773badf0::0185aa3d-6462-4c33-946c-498f354bd1a8","nameID":"[email protected]","nameIDFormat":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress","Role":"offline_access"},"x-ror-origin":"saml_serv1"}, (size: 683 of 8185 Bytes))
[23:23:35:853] [debug][plugins][ReadonlyREST][legacyRenderer] Fetching frontend dependency: /usr/share/kibana/plugins/readonlyrestkbn/proxy/preKibanaProxy/auth/../../../node_modules/jquery/dist/jquery.min.js
[23:23:36:036] [debug][plugins][ReadonlyREST][legacyRenderer] Fetching frontend dependency: /usr/share/kibana/plugins/readonlyrestkbn/proxy/preKibanaProxy/auth/../../../node_modules/jquery/dist/jquery.min.js
[23:23:36:048] [debug][plugins][ReadonlyREST][legacyRenderer] Fetching frontend dependency: /usr/share/kibana/plugins/readonlyrestkbn/proxy/preKibanaProxy/auth/../../../node_modules/xregexp/xregexp-all.js
[23:23:36:066] [debug][plugins][ReadonlyREST][legacyRenderer] Fetching frontend dependency: /usr/share/kibana/plugins/readonlyrestkbn/proxy/preKibanaProxy/auth/../../../node_modules/js-cookie/dist/js.cookie.min.js
[23:23:36:204] [info][plugins][ReadonlyREST][authController] Could not login in: Empty metadata

“Could not login, empty metadata” means that the ACL has allowed the request, but the matching ACL block does not include an authentication rule. I.e. login request was allowed by a rule based on “hosts” rule.

What I can see is that ROR Enterprise did not find any groups in the assertion. I see you configured “memberOf” as groupsParameter, but the assertion does not carry that parameter. Instead I can see “Role” in the assertion.

If “Role” and its content was not what you intended to use for authorization, there should be some configuration in Keycloak to include actual groups in the assertion IIRC.

Thanks @sscarduzio . That was missing.

1 Like