SAML Authentication Not Working

I’m having trouble with getting SAML working in Kibana, not matter what I try I always get redirected to /customerror?type=samlConfigError#?_g=() where it shows this error:

SAML configuration error

Something went wrong while retrieving the SAML configuration, please check your settings.

There’s nothing obviously SAML related showing up in the log files either. Is there a way to enable debug logging for the SAML authentication so I can troubleshoot this issue?

I eventually figured out this particular issue. It was caused by basic_internal_auth_domain being set to a lower order than saml_auth_domain. Still, it would be useful to have some kind of log output that explains what is going wrong.

1 Like

Hi

You can set these in log4j2.properties

logger.token.name = com.amazon.dlic.auth.http.saml.Token
logger.token.level = debug

This will print out the SAML response in the Elasticsearch log file so you can inspect and debug it.

Another way of inspecting the SAML Response is to montitor the network traffic while logging in to Kibana. The IdP will HTTP POST the base64-encoded SAML Response to:

/_opendistro/_security/saml/acs

Inspect the payload of this POST request and use a tool like https://www.base64decode.org/ to decode it.

It never even got to the point of attempting SAML, it failed before that part.

Debug logging for SAML config errors are currently limited.
We can probably improve its verbosity in the future.

Ran into the same issue here. Fixing the ordering resolved my problem.

1 Like