Hello
We have an issue on OpenDistro (kibana/elasticssearch) which we have configured with Auth0 saml authentication.
When a user open the kibana url and login with auth0/saml credentials everything works fine.
The problem is when the user logout and try login directly from the login form displayed after logout, then get a screen with “SAML authentication error”. On this screen if click on “Back to Kibana Home” button then user is redirected to Kibana as normal logged-in user.
The configuration about saml on Elasticsearch is:
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: intern
saml_auth_domain:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: /usr/share/elasticsearch/config/idp_metadata.xml
entity_id: “urn:PRIVATE_ENTITY_ID”
enable_ssl: true
verify_hostnames: true
pemtrustedcas_filepath: /usr/share/elasticsearch/config/idp_cert.pem
sp:
entity_id: PRIVATE_ENTITY_ID
kibana_url: PRIVATE_KIBANA_URL
roles_key: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/roles
subject_key: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
exchange_key: PRIVATE_EXCHANGE_KEY
authentication_backend:
type: noop
The configuration on Kibana is:
server.name: kibana
server.host: "0"
elasticsearch.hosts: https://elasticsearch:9200
# elasticsearch.ssl.verificationMode: none
elasticsearch.ssl.certificateAuthorities: ["/usr/share/kibana/config/root-ca.pem"]
elasticsearch.ssl.verificationMode: full
elasticsearch.username: xxxx
elasticsearch.password: xxxx
elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.enable_global: true
opendistro_security.multitenancy.tenants.enable_private: true
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.readonly_mode.roles: ["kibana_read_only"]
opendistro_security.auth.type: "saml"
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]
opendistro_security.cookie.password: OWN_COOKIE_PASSWORD
opendistro_security.cookie.secure: true
When ask the kibana URL user is redirected to the following URL: https://PRIVATE_URL.auth0.com/login?state=g6Fo2SBSdllKVFE3MEJaWDVzQklwcjJiQzctVHhrdFZtV3psWqN0aWTZIFpTUjJBaHplZE04Q0VGUjZueERZY1Q5RDBwNVZ5M2I2o2NpZNkgMFpJckxxSk5ZTkhjdUQ0YnlPcmlVd244S0xTdWN3aTc&client=0ZIrLqJNYNHcuD4byOriUwn8KLSucwi7&protocol=samlp&SAMLRequest=jZJRb9owEMe%2FSuT3xAmklFmAREu3ZssCKrRS%2B4Iu5mgtJXbqs0fZp58Xtq57WLU363y%2Fv%2B9n3YSgbTox9%2B5J3%2BCzR3LRS9toEv3FlHmrhQFSJDS0SMJJsZ5%2FLcUgSUVnjTPSNOwN8j4BRGidMppFxWLKltVVufxUVFtAHOajQRpndX0e50M5iuHD2TAe5%2BNRPjyrMZMZi%2B7QUmCnLESFACKPhSYH2oVSGug0j7Nsk45EPhB5%2BsCiRfBRGlxPPTnXkeB8Bw72xrbf48A%2BKv2YQNBPE2la3lvz9KGw5fPn6r66ln6R18elVbcHPf5Srr08qHMWrX6pXyi9CwnvW9enJhLXm80qXi3XGxbNf%2F%2FEpdHkW7RrtN%2BUxNub8s%2BkoKE5OiXpddLX2RPoOr41HYZoctbwLaH0Vrlj78BBEptNfh5F%2F1F29p%2BhE%2F4Wmpz2owpOxWJlGiWP0cfQCu7fylmS9RW1i%2Fd9q%2FCaOpRqr3AXzJvGHC4tgsMpc9Yji%2Fjs9Orfizj7AQ%3D%3D
But when logout from kibana,the user is redirected to the following URL: https://PRIVATE_URL.auth0.com/login?state=g6Fo2SA5SnVWeGhxcW84YWdfUUdmWmo0N0xoeW5FS2FtRlRDaaN0aWTZIGxIS1A0WGNHT3UzeE8tamI2VUFiMFdMaGp6UGZIMkpyo2NpZNkgMFpJckxxSk5ZTkhjdUQ0YnlPcmlVd244S0xTdWN3aTc&client=0ZIrLqJNYNHcuD4byOriUwn8KLSucwi7&protocol=samlp
Do you have any idea why this is happening or what is missing from our configuration?
Thanks in advance