[samlController] Obtained user name from profile: undefined

gustavo.yoshizaki · November 26, 2022, 3:22pm

Hi

I have just configured a Kibana instance to authenticate the users using SAML.

This is the Kibana configuration:

readonlyrest_kbn.auth:
  signature_key: "key"
  saml_serv1:
    enabled: true
    type: saml
    issuer: https://kibanaurl/
    buttonName: "Keycloak"
    entryPoint: 'https://entrypointurl'
    kibanaExternalHost: kibana
    protocol: https
    usernameParameter: 'NameID'
    groupsParameter: 'memberOf'
    logoutUrl: 'https://logouturl'
    cert: 'certificate'

And this is the Elasticsearch configuration:

    access_control_rules:
    - name: "Keycloak"
      type: allow
      kibana_access: admin
      ror_kbn_auth:
        name: "keycloak"
      indices: ["*"]

....

    ror_kbn:
    - name: keycloak
      signature_key: "key"

But when the users tries to access Kibana, after authenticating against Keycloak, they are sent to the login form.

On the Kibana logs:

[15:09:13:373] [debug][plugins][ReadonlyREST][samlController] Obtained user name from profile: undefined
[15:09:13:373] [debug][plugins][ReadonlyREST][samlController] Obtained groups from profile: 
[15:09:13:373] [debug][plugins][ReadonlyREST][samlController] Created JWT for ROR with claims: {"groups":[],"assertion":{"issuer":"https://issuer","inResponseTo":"XXX","sessionIndex":"XXX","nameID":"gustavo.yoshizaki@avature.net","nameIDFormat":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress","Role":"offline_access"},"x-ror-origin":"saml_serv1"}, (size: 631 of 8185 Bytes))
[15:09:13:695] [debug][plugins][ReadonlyREST][legacyRenderer] Fetching frontend dependency: /usr/share/kibana/plugins/readonlyrestkbn/proxy/preKibanaProxy/auth/../../../node_modules/jquery/dist/jquery.min.js
[15:09:14:124] [info][plugins][ReadonlyREST][authController] Could not login in: Empty metadata

Any ideas?

Thanks in advance

sscarduzio · November 28, 2022, 8:01am

Hi @gustavo.yoshizaki, the string “NameID” is configured as usernameParameter, whereas the assertion has “nameID”.

gustavo.yoshizaki · November 28, 2022, 11:28pm

Hi @sscarduzio

Thanks for the quick reply. Silly me, there was a typo. However, it did not fix the issue:

[23:23:35:519] [debug][plugins][ReadonlyREST][samlController] Obtained user name from profile: gustavo.yoshizaki@avature.net
[23:23:35:519] [debug][plugins][ReadonlyREST][samlController] Obtained groups from profile: 
[23:23:35:519] [debug][plugins][ReadonlyREST][samlController] Created JWT for ROR with claims: {"user":"gustavo.yoshizaki@avature.net","groups":[],"assertion":{"issuer":"https://keycloak-il01.xcade.net/realms/LDAP","inResponseTo":"_9ffb3fa5ae5b845241e1","sessionIndex":"9dfa38cb-6eb0-4c63-9582-e6d5773badf0::0185aa3d-6462-4c33-946c-498f354bd1a8","nameID":"gustavo.yoshizaki@avature.net","nameIDFormat":"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress","Role":"offline_access"},"x-ror-origin":"saml_serv1"}, (size: 683 of 8185 Bytes))
[23:23:35:853] [debug][plugins][ReadonlyREST][legacyRenderer] Fetching frontend dependency: /usr/share/kibana/plugins/readonlyrestkbn/proxy/preKibanaProxy/auth/../../../node_modules/jquery/dist/jquery.min.js
[23:23:36:036] [debug][plugins][ReadonlyREST][legacyRenderer] Fetching frontend dependency: /usr/share/kibana/plugins/readonlyrestkbn/proxy/preKibanaProxy/auth/../../../node_modules/jquery/dist/jquery.min.js
[23:23:36:048] [debug][plugins][ReadonlyREST][legacyRenderer] Fetching frontend dependency: /usr/share/kibana/plugins/readonlyrestkbn/proxy/preKibanaProxy/auth/../../../node_modules/xregexp/xregexp-all.js
[23:23:36:066] [debug][plugins][ReadonlyREST][legacyRenderer] Fetching frontend dependency: /usr/share/kibana/plugins/readonlyrestkbn/proxy/preKibanaProxy/auth/../../../node_modules/js-cookie/dist/js.cookie.min.js
[23:23:36:204] [info][plugins][ReadonlyREST][authController] Could not login in: Empty metadata

sscarduzio · November 29, 2022, 9:02am

“Could not login, empty metadata” means that the ACL has allowed the request, but the matching ACL block does not include an authentication rule. I.e. login request was allowed by a rule based on “hosts” rule.

What I can see is that ROR Enterprise did not find any groups in the assertion. I see you configured “memberOf” as groupsParameter, but the assertion does not carry that parameter. Instead I can see “Role” in the assertion.

If “Role” and its content was not what you intended to use for authorization, there should be some configuration in Keycloak to include actual groups in the assertion IIRC.

gustavo.yoshizaki · December 11, 2022, 4:06pm

Thanks @sscarduzio . That was missing.