SAML (Azure AD) working but getting Basic Authorization WARNs when clicking around Kibana

We have SAML set up and working wonderfully with Azure AD, but when I navigate around Kibana, I get these log entries in the elasticsearch log output (usually 1-3 per click):

[2019-11-15T20:40:02,995][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe-node1] No ‘Basic Authorization’ header, send 401 and ‘WWW-Authenticate Basic’

I’ve reviewed the code around the logger (actually logged in https://github.com/opendistro-for-elasticsearch/security/blob/master/src/main/java/com/amazon/opendistroforelasticsearch/security/support/HTTPHelper.java), and it appears to be an HTTP request with an Authorization header that isn’t Basic.

Not sure the source of the requests passing in a non-Basic auth request header between Kibana and Elasticsearch, but I did try disabling Auditing, but it wasn’t those. If these are related to the SAML/JWT requests, then isn’t that how this is supposed to work (i.e. is this an unnecessary warning)?

Here’s my kibana.yml

server.name: kibana
server.host: “0”
server.ssl.enabled: true
server.ssl.key: /usr/share/kibana/config/kibana-key.pem
server.ssl.certificate: /usr/share/kibana/config/kibana.cer
server.ssl.certificateAuthorities: /usr/share/kibana/config/root-ca-chain.pem

elasticsearch.hosts: https://odfe-node1:9200
elasticsearch.ssl.verificationMode: none
elasticsearch.username: kibanaserver
elasticsearch.password:

opendistro_security.auth.type: “saml”
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs/idpinitiated", “/_opendistro/_security/saml/acs”, “/_opendistro/_security/saml/logout”]

opendistro_security.multitenancy.enabled: false
opendistro_security.readonly_mode.roles: [“kibana_read_only”]

my elasticsearch.yml:

opendistro_security.ssl.transport.keystore_type: pkcs12
opendistro_security.ssl.transport.keystore_filepath: node.p12
opendistro_security.ssl.transport.keystore_password:
opendistro_security.ssl.transport.truststore_type: pkcs12
opendistro_security.ssl.transport.truststore_filepath: node.p12
opendistro_security.ssl.transport.truststore_alias: root
opendistro_security.ssl.transport.truststore_password:
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.keystore_type: pkcs12
opendistro_security.ssl.http.keystore_filepath: node.p12
opendistro_security.ssl.http.keystore_password:
opendistro_security.ssl.http.truststore_type: pkcs12
opendistro_security.ssl.http.truststore_filepath: node.p12
opendistro_security.ssl.http.truststore_alias: root
opendistro_security.ssl.http.truststore_password:
opendistro_security.ssl.http.clientauth_mode: NONE
opendistro_security.allow_default_init_securityindex: true
opendistro_security.authcz.admin_dn:

  • “CN=admin,O=CompanyName,ST=ST,C=US”
    opendistro_security.nodes_dn:
  • ‘CN=odfe-node*’
    #opendistro_security.audit.type: internal_elasticsearch
    opendistro_security.enable_snapshot_restore_privilege: true
    opendistro_security.check_snapshot_restore_write_privileges: true
    opendistro_security.restapi.roles_enabled: [“all_access”, “security_rest_api_access”]
    cluster.routing.allocation.disk.threshold_enabled: false
    node.max_local_storage_nodes: 3
    opendistro_security.audit.config.disabled_rest_categories: NONE
    opendistro_security.audit.config.disabled_transport_categories: NONE

my security plugin config:

_meta:
type: “config”
config_version: 2

config:
dynamic:
http:
anonymous_auth_enabled: false
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 1
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
saml_auth_domain:
http_enabled: true
transport_enabled: false
order: 2
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_file: azure-ad-saml-config.xml
entity_id:
sp:
entity_id:
kibana_url:
exchange_key: ‘’
authentication_backend:
type: noop
authz:
roles_from_myldap:
description: “Authorize via LDAP or Active Directory”
http_enabled: true
transport_enabled: true
authorization_backend:
type: ldap
config:
enable_ssl: true
enable_start_tls: false
enable_ssl_client_auth: false
enabled_ssl_protocols:
- “TLSv1”
- “TLSv1.1”
- “TLSv1.2”
verify_hostnames: false
hosts:
-
-
-
bind_dn: ‘’
password: “”
rolebase: ‘’
rolesearch: “”
userroleattribute: null
userrolename: disabled
rolename: SamAccountName
resolve_nested_roles: false
userbase: ‘’
usersearch: ‘(UserPrincipalName={0})’
username_attribute: UserPrincipalName
custom_attr_whitelist: 0
skip_users:
- admin
- fluentd
- kibanaserver