By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

SAML authentication not working

0

Setting up Elasticsearch service with SAML (new method that doesn't require Cognito) and trying to use AWS SSO as the IdP and I am getting a few errors. I imported the XML file after adding the Elasticsearch Cluster as a custom SAML 2.0 app in SSO, granted my SSO user acccess, and set the Subject attribute map to ${user:subject}. I think there may be another configuration step that is not documented well or that I am missing.

I've followed both of these guides: https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/saml.html and https://docs.aws.amazon.com/singlesignon/latest/userguide/samlapps.html, but the setup does not seem to be working.

I am receiving this error when clicking the URL to access Kibana "SAML authentication error The SAML authentication failed. Please contact your administrator."

In the cloudwatch logs the two errors I am seeing are:
[2020-12-03T13:07:23,573][WARN ][c.a.d.a.h.s.AuthTokenProcessorHandler] [ad8baed6c40dec7884ba400c5916f1a0] roles_key is not configured, will only extract subject from SAML
[2020-12-03T13:08:09,006][WARN ][c.a.d.a.h.s.AuthTokenProcessorHandler] [ad8baed6c40dec7884ba400c5916f1a0] Error while validating SAML response in PATH

Does anyone have experience setting this up directly and the necessary configuration settings to get it working? I know this is a relatively new feature.

Language
English
KyleAWSRadAI
asked 3 years ago2456 views
5 Answers
0

I have been debugging a SAML integration between our playgroundes ES cluster and a keycloak SAML client.

I have attempted both IdP and SP strategies.

Presently, the SAML POST to either:
https://{domain}/_plugin/kibana/_opendistro/_security/saml/acs
or
https://{domain{/_plugin/kibana/_opendistro/_security/saml/acs/idpinitiated

returns with a 500. The saml response does not have a lot of roles, as documentation suggests to check:
https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/saml.html

I enabled error logs and notice the following after making a change that puts the cluster in Processing state before restoring to Active state:

[2021-02-22T15:28:23,742][WARN ][r.suppressed ] [d4bbbe4289f9131958d581ccea8e67b2] path: PATH params:
{}

org.elasticsearch.ElasticsearchSecurityException: Open Distro Security not initialized for PATH
[2021-02-22T15:28:23,803][WARN ][r.suppressed ] [d4bbbe4289f9131958d581ccea8e67b2] path: PATH params:

I feel this may be related, as on every login attempt, I see the following in the error logs:
[2021-02-22T15:30:24,170][WARN ][c.a.d.a.h.s.AuthTokenProcessorHandler] [4366f5eeac89ac3b61891625ee763178] Error while validating SAML response in PATH

I am not sure if this is related, as well, but I saw this in the logs at one time, and thought it might be a potential root cause for the failing that might be causing the Open Distro Security issue.
[2021-02-22T11:57:23,770][WARN ][o.e.c.s.MasterService ] [4407ca98e522761bb46605f3855f30c5] failing [elected-as-master ([5] nodes joined)

PATH is something I've been unable to google in any ES docs

ageomi22
answered 3 years ago
0

Good Afternoon Sir,

I had this same issue. I was able to resolve it by mapping the roles key in the Elasticsearch Service Authentication settings to an Attribute Mapping in my AWS SSO instance. The Value I gave in AWS SSO used the built in kibana role 'kibana_admin'. I hope this helps you.

V/R
D3DFX

d3dfx
answered 3 years ago
0

Hello Sir, I am facing the same Issue, would be great if you can put in some details about the configuration and the changes you've made to get it working. I am using Onelogin to connect.

shubham25namdeo
answered 3 years ago
0

I had the same problem, in AWS SSO I was mapping only the Subject attribute using the ${user:email}, but it only worked when I also added another attribute for my SSO group: ${user:groups}.

So I ended up with this mapping:
Subject - ${user:email} - unspecified
Group - ${user:groups} - unspecified

  • Edited: the variable is user:email and user:groups, for some reason the website is showing null

On ElasticSearch, I went to modify authentication and for SAML master backend role (optional) I used my SSO group ID.
In the Optional SAML settings I added the name of my attribute mapping: "Group" to Roles key

Edited by: rribeiro1 on Jun 14, 2021 7:12 AM

rribeiro1
answered 3 years ago
0

Same problem with SAML authentication via Okta

https://stackoverflow.com/questions/69613313/aws-opensearch-with-saml-authentication

jeroenvanpelt
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content