Okta/Saml authentication

Hi,
I am trying and failing to setup an okta/saml connection to opendistro. We are using 1.13.2 and have a single instance cluster running in AWS. I have followed the instructions for setting it up from SAML - Open Distro for Elasticsearch Documentation, here is the kibana setup;

elasticsearch.requestHeadersWhitelist: ["securitytenant","Authorization"]
opendistro_security.multitenancy.enabled: true
opendistro_security.multitenancy.tenants.enable_global: true
opendistro_security.multitenancy.tenants.enable_private: false
opendistro_security.multitenancy.tenants.preferred: ["Private", "Global"]
opendistro_security.multitenancy.enable_filter: false
elasticsearch.username: username
elasticsearch.password: password
server.host: "0.0.0.0"
server.port: "5601"
opendistro_security.auth.type: "saml"
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"]

OD Okta config;

        order: 1
        description: "OKTA saml connection."
        http_enabled: true
        transport_enabled: false
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_file: metadata.xml
              entity_id: https://www.okta.com/{org.externalKey}
            sp:
              entity_id: TEST
              forceAuthn: true
            kibana_url: http://cdlaudit-kibana.dev.blah:5601
            #kibana_url: http://localhost:5601
            subject_key: UserID
            roles_key: Role
            exchange_key: 32_character_key
        authentication_backend:
          type: noop

Okta config;

GENERAL
Single Sign On URL http://cdlaudit-kibana.dev.blah:5601/_opendistro/_security/saml/acs/idpinitiated
Recipient URL http://cdlaudit-kibana.dev.blah:5601/_opendistro/_security/saml/acs/idpinitiated
Destination URL http://cdlaudit-kibana.dev.blah:5601/_opendistro/_security/saml/acs/idpinitiated
Audience Restriction Test
Default Relay 
StateName ID Format Unspecified
Response Signed 
Assertion Signature Signed
Signature AlgorithmRSA_SHA256
Digest AlgorithmSHA256
Assertion Encryption Unencrypted
SAML Single Logout Disabled
authnContextClassRef PasswordProtectedTransport
Honor Force Authentication Yes
Assertion Inline Hook None (disabled)
SAML Issuer ID http://www.okta.com/${org.externalKey}

ATTRIBUTE STATEMENTS
Name     Name Format     Value
UserID   Unspecified     user.login

GROUP ATTRIBUTE STATEMENTS
Name     Name             FormatFilter
Role     Unspecified      Matches regex: .*

This just returns a 500 when we try to launch from Okta.
In the kibana logs we see this error;

Jul 05 08:17:44 ip-99-999-999-999.eu-west-1.compute.internal kibana[4315]: {"type":"error","@timestamp":"2021-07-05T08:17:44Z","tags":[],"pid":4315,"level":"error","error":{"message":"Internal Server Error","name":"Error","stack":"Error: Internal Server Error\n    at HapiResponseAdapter.toError (/usr/share/kibana/src/core/server/http/router/response_adapter.js:132:19)\n    at HapiResponseAdapter.toHapiResponse (/usr/share/kibana/src/core/server/http/router/response_adapter.js:86:19)\n    at HapiResponseAdapter.handle (/usr/share/kibana/src/core/server/http/router/response_adapter.js:81:17)\n    at Router.handle (/usr/share/kibana/src/core/server/http/router/router.js:164:34)\n    at process._tickCallback (internal/process/next_tick.js:68:7)"},"url":{"protocol":null,"slashes":null,"auth":null,"host":null,"port":null,"hostname":null,"hash":null,"search":null,"query":{},"pathname":"/_opendistro/_security/saml/acs/idpinitiated","path":"/_opendistro/_security/saml/acs/idpinitiated","href":"/_opendistro/_security/saml/acs/idpinitiated"},"message":"Internal Server Error"}

I have created a role and a role mapping for a role the user is a member of. Is there something else I am missing? Can anybody point me in the right direction.

I have tested the docker test version from OD and noticed that on this I get a RequestId in the Request body where on my system I don’t. I don’t know what creates it or if it is relevant but mentioning it for awareness.

Thanks,

Tony.

1 Like

Hi @tony Would you be able to try with metadata_url instead of metadata_file. As any changes that might have been done are not reflected in the static file.

If this is still not working, can you please DM me your config files (elasticsearch.yml, kibana.yml, config.yml) redact any sensitive details.

I will try to reproduce as your okta config is identical to mine except for the UserID.

2 Likes

After some work with Anthony he uncovered that our Okta.com config was incorrect and the cluster config was fine.

Couple of things to watch out for anyone having similar issues:

  1. Have basic auth first with challenge flag set to false, so that it continues to the next authentication domain.
  2. Ensure the entity_id matches the “Audience Restriction” exactly - it’s case sensitive.
  3. If your SSO URL ends with _opendistro/_security/saml/acs/idpinitiated access through okta. If it’s set up as _opendistro/_security/saml/acs - access via kibana URL.