By using AWS re:Post, you agree to the Terms of Use

SAML authentication not working


Setting up Elasticsearch service with SAML (new method that doesn't require Cognito) and trying to use AWS SSO as the IdP and I am getting a few errors. I imported the XML file after adding the Elasticsearch Cluster as a custom SAML 2.0 app in SSO, granted my SSO user acccess, and set the Subject attribute map to ${user:subject}. I think there may be another configuration step that is not documented well or that I am missing.

I've followed both of these guides: and, but the setup does not seem to be working.

I am receiving this error when clicking the URL to access Kibana "SAML authentication error The SAML authentication failed. Please contact your administrator."

In the cloudwatch logs the two errors I am seeing are:
[2020-12-03T13:07:23,573][WARN ][c.a.d.a.h.s.AuthTokenProcessorHandler] [ad8baed6c40dec7884ba400c5916f1a0] roles_key is not configured, will only extract subject from SAML
[2020-12-03T13:08:09,006][WARN ][c.a.d.a.h.s.AuthTokenProcessorHandler] [ad8baed6c40dec7884ba400c5916f1a0] Error while validating SAML response in PATH

Does anyone have experience setting this up directly and the necessary configuration settings to get it working? I know this is a relatively new feature.

asked 2 years ago467 views
5 Answers

I have been debugging a SAML integration between our playgroundes ES cluster and a keycloak SAML client.

I have attempted both IdP and SP strategies.

Presently, the SAML POST to either:

returns with a 500. The saml response does not have a lot of roles, as documentation suggests to check:

I enabled error logs and notice the following after making a change that puts the cluster in Processing state before restoring to Active state:

[2021-02-22T15:28:23,742][WARN ][r.suppressed ] [d4bbbe4289f9131958d581ccea8e67b2] path: PATH params:

org.elasticsearch.ElasticsearchSecurityException: Open Distro Security not initialized for PATH
[2021-02-22T15:28:23,803][WARN ][r.suppressed ] [d4bbbe4289f9131958d581ccea8e67b2] path: PATH params:

I feel this may be related, as on every login attempt, I see the following in the error logs:
[2021-02-22T15:30:24,170][WARN ][c.a.d.a.h.s.AuthTokenProcessorHandler] [4366f5eeac89ac3b61891625ee763178] Error while validating SAML response in PATH

I am not sure if this is related, as well, but I saw this in the logs at one time, and thought it might be a potential root cause for the failing that might be causing the Open Distro Security issue.
[2021-02-22T11:57:23,770][WARN ][o.e.c.s.MasterService ] [4407ca98e522761bb46605f3855f30c5] failing [elected-as-master ([5] nodes joined)

PATH is something I've been unable to google in any ES docs

answered 2 years ago

Good Afternoon Sir,

I had this same issue. I was able to resolve it by mapping the roles key in the Elasticsearch Service Authentication settings to an Attribute Mapping in my AWS SSO instance. The Value I gave in AWS SSO used the built in kibana role 'kibana_admin'. I hope this helps you.


answered 2 years ago

Hello Sir, I am facing the same Issue, would be great if you can put in some details about the configuration and the changes you've made to get it working. I am using Onelogin to connect.

answered 2 years ago

I had the same problem, in AWS SSO I was mapping only the Subject attribute using the ${user:email}, but it only worked when I also added another attribute for my SSO group: ${user:groups}.

So I ended up with this mapping:
Subject - ${user:email} - unspecified
Group - ${user:groups} - unspecified

  • Edited: the variable is user:email and user:groups, for some reason the website is showing null

On ElasticSearch, I went to modify authentication and for SAML master backend role (optional) I used my SSO group ID.
In the Optional SAML settings I added the name of my attribute mapping: "Group" to Roles key

Edited by: rribeiro1 on Jun 14, 2021 7:12 AM

answered a year ago
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions