SAML issue on logout

Hello Community,
I faced an issue with the SAML configuration when certificates are provided for Request signing.
Version: Opendistro 1.12.0
Provider: PingID
These are the configurations:

sp:
  entity_id: saml
  forceAuthn: true
  signature_private_key_filepath: '/etc/elasticsearch/certs/elasticsearch.key'

On the Identity Provider side I configured this SLO: https://<kibana_ip>/auth/logout and provided the .pem certificate.
On the kibana.yml file I’ve configured this:

opendistro_security.auth.type: "saml"
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/auth/logout"]

But I am receiving this error on the browser when I logout the user:

{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}

This is the request of the error:

https://<kibana_ip>/auth/logout?SAMLResponse=pZJBa4NAEIX%252Fiux9dd2YqEsMlKYUIU1KE3LopYzrmAhmV5wV%252BvNrTFuSHnIpzGWGN%252FO%252BBzMnODWtWtmD7d0bUmsNoZcvM1aXHKQIYwDBRaKRR6JIeFLFyGdyUiSzIiyKEpi3x45qazImfcG8nKjH3JAD44aRkCEXEQ%252BjnZyoUCoZ%252B7GM3wed%252BXHb2Yxt1k%252BrzXO%252B%252FgAhJhUORpVIBksQJU%252BS6dBOq6iSMVazqmDeEsnVBtxoe3SuJRUEofC%252FaxpA745BM4Zi3uepMaTGoBnrO6MsUE3KwAlJOa22Dy8rNcCrtrPOatuwxfysVmOW7mr%252F%252FjoQYXdmYosfpjOH39bmYA362p6CVJZQpoBclLriURnFPAEd8qhIC4z1VKcTMQ%252Bu3C8ordo6cD3ddo%252B2RG8PTY%252F3wWhUq22vNRKxfx15hSEiNJeHYcHiAnt97M%252Fot739scUX&SigAlg=http%253A%252F%252Fwww.w3.org%252F2001%252F04%252Fxmldsig-more%2523rsa-sha256&Signature=P%252Fl4yWcp7A41xdFMcGe1sE4w%252BHM24ihH6P6ZDLwkV%252Fw81kts%252FvOaA0Hw9Bdx4ZvX6EzVRrEqC1dreb30oLujteMOU97YDH%252FFgj%252FmSR9VifeIlGxmLRs2VTo1QCfPIOllq2i2SK83sds1JGP4tvSCTPI9yhBXjeVrKehMka5c05OTmoD9frf4lzeUzqyXVMuTY%252BO%252F4%252FVvXl%252Bua9YfE%252FZh7yvRElG58VcQQYWL4yp2NG5S%252BaqH%252Fyc3qWAOCfEl%252FlkUrIOjxupwHVnu3ObqFrqZ0CsiQxpQ2vc5dH9QB%252BTsEQ1sPAvxHjP4PPDOwtZKQOrZulQ1fixkeCP0478oSvp0BA%253D%253D

I hope this information is useful to help me solve the issue.

Hello @Lord_Zetas

Could you share your PingID configuration?
Did you try to use below line in your IDP instead?

https://<kibana_ip>:<port_number>/_opendistro/_security/saml/logout

image
Exact same issue.

SAML SETTINGS

  • ACS URLS: https://10.10.10.15/_opendistro/_security/saml/acs
  • SIGNING CERTIFICATE: PingOne SSO Certificate for Administrators environment
  • Sing Assertion & Response
  • SIGNING ALGORITHM: RSA_SHA256
  • ENCRYPTION Disabled
  • ENTITY ID: saml
  • SLO ENDPOINT: https://10.10.10.15/_opendistro/_security/saml/logout [OR] https://10.10.10.15/auth/logout
  • SLO RESPONSE ENDPOINT: blank
  • SLO BINDING: HTTP Redirect
  • ASSERTION VALIDITY DURATION: 3600
  • Enforce Signed Authn Request
  • VERIFICATION CERTIFICATE: node-1 (elasticsearch) Valid 03-21 to 03-31

One thing I want to clarify is the fact that the same configuration in OpenDistro 1.10 is working as expected (I was not able to test it in 1.11)

@Lord_Zetas thanks for that info. Have you tried 1.13?
I had couple issues with 1.11 and 1.12 in regards to self-signed certs and openid. Maybe SAML got affected too.

Have you got any warnings/errors in Kibana/ES logs?

Pablo, thanks for the Help.
I did not tried with that version yet.
In kibana I don’t see warnings or errors, just the action being logged in.
In Elastic I have only this warning:
[2021-04-15T16:45:20,608][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [node-1] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
Thanks in advance!

Hello Pablo,
I am confirming that I ran into the same issue with OpenDistro 1.13:
{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}
Do you think I should raise an issue in github?

Hello @Lord_Zetas

I’ve forgotten to ask. Your kibana URL doesn’t contain port number (5601). Do you run proxy in front of Kibana?

Hello Pablo,
No, I have configured port 443 in kibana.yml and I applied this config to the server:
setcap 'cap_net_bind_service=+ep' /usr/share/kibana/node/bin/node
So, I can access it directly to 443 port through HTTPS.

Hello @Lord_Zetas

I’ve done further testing and got the same results. Logout is working up to 1.11 but starting from 1.12 I’m getting the same error as you.

{“statusCode”:401,“error”:“Unauthorized”,“message”:“Unauthorized”}

In my lab I use Keycloak instead of PingID however, based on the above this is not an IDP platform issue.

Hi @pablo and @Lord_Zetas ,

I managed to get a workaround for this issue. The problem seems to be that the parameter authInfo.sso_logout_url comes with the SLO URL and it is taken as unauthorized (in my case and with Ping Identity IdP is in the form https://auth.pingone.com/<tenant>/saml20/idp/slo ).

So I changed the redirect URL that is injected on the location of the response header.

  • Edit the file /usr/share/kibana/plugins/opendistroSecurityKibana/server/auth/types/saml/routes.js
  • Go to the path: /auth/logout part of the code.
  • Change the redirectUrl constant assignment

const redirectUrl = authInfo.sso_logout_url || this.coreSetup.http.basePath.serverBasePath || ‘/’;

with for example

const redirectUrl = `${this.coreSetup.http.basePath.serverBasePath}/app/kibana`;

  • Restart Kibana.

Regards.

1 Like