SAML authentication not working

I have been debugging a SAML integration between our playgroundes ES cluster and a keycloak SAML client.

I have attempted both IdP and SP strategies.

Presently, the SAML POST to either:
https://{domain}/_plugin/kibana/_opendistro/_security/saml/acs
or
https://{domain{/_plugin/kibana/_opendistro/_security/saml/acs/idpinitiated

returns with a 500. The saml response does not have a lot of roles, as documentation suggests to check:
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/saml.html

I enabled error logs and notice the following after making a change that puts the cluster in Processing state before restoring to Active state:

[2021-02-22T15:28:23,742][WARN ][r.suppressed ] [d4bbbe4289f9131958d581ccea8e67b2] path: PATH params:
{}

org.elasticsearch.ElasticsearchSecurityException: Open Distro Security not initialized for PATH
[2021-02-22T15:28:23,803][WARN ][r.suppressed ] [d4bbbe4289f9131958d581ccea8e67b2] path: PATH params:

I feel this may be related, as on every login attempt, I see the following in the error logs:
[2021-02-22T15:30:24,170][WARN ][c.a.d.a.h.s.AuthTokenProcessorHandler] [4366f5eeac89ac3b61891625ee763178] Error while validating SAML response in PATH

I am not sure if this is related, as well, but I saw this in the logs at one time, and thought it might be a potential root cause for the failing that might be causing the Open Distro Security issue.
[2021-02-22T11:57:23,770][WARN ][o.e.c.s.MasterService ] [4407ca98e522761bb46605f3855f30c5] failing [elected-as-master ([5] nodes joined)

PATH is something I've been unable to google in any ES docs

Good Afternoon Sir,

I had this same issue. I was able to resolve it by mapping the roles key in the Elasticsearch Service Authentication settings to an Attribute Mapping in my AWS SSO instance. The Value I gave in AWS SSO used the built in kibana role 'kibana_admin'. I hope this helps you.

V/R
D3DFX

Hello Sir, I am facing the same Issue, would be great if you can put in some details about the configuration and the changes you've made to get it working. I am using Onelogin to connect.

I had the same problem, in AWS SSO I was mapping only the Subject attribute using the ${user:email}, but it only worked when I also added another attribute for my SSO group: ${user:groups}.

So I ended up with this mapping:
Subject - ${user:email} - unspecified
Group - ${user:groups} - unspecified

• Edited: the variable is user:email and user:groups, for some reason the website is showing null

On ElasticSearch, I went to modify authentication and for SAML master backend role (optional) I used my SSO group ID.
In the Optional SAML settings I added the name of my attribute mapping: "Group" to Roles key

Edited by: rribeiro1 on Jun 14, 2021 7:12 AM

Same problem with SAML authentication via Okta

https://stackoverflow.com/questions/69613313/aws-opensearch-with-saml-authentication