I have been working for couple of days on trying to setup SAML integration with Jumpcloud.
The both sides Jumpcloud and ELK has been configured, however I have been constantly redirected onto this URL: /customerror?type=samlAuthError#?_g=()
Here is part of my configuration, I will just replace sensitive data with <>:
authc: basic_internal_auth_domain: description: "Authenticate via HTTP Basic against internal users database" http_enabled: true transport_enabled: true order: 0 http_authenticator: type: basic challenge: false authentication_backend: type: internal saml_auth_domain: http_enabled: true transport_enabled: false order: 1 http_authenticator: type: saml challenge: true config: idp: # metadata_file: /etc/elasticsearch/elastic-metadata-jumpcloud.xml metadata_file: elastic-metadata-jumpcloud.xml entity_id: https://<KIBANA IP> sp: entity_id: kibana-saml kibana_url: https://<KIBANA IP>:5601/ subject_key: username roles_key: roles exchange_key: '<32 character long string>' authentication_backend: type: noop
opendistro_security.auth.type: "saml" server.xsrf.whitelist: ["/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout"] elasticsearch.ssl.verificationMode: full server.ssl.enabled: true server.ssl.key: /etc/kibana/kibana-key.pem server.ssl.certificate: /etc/kibana/kibana.pem elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/root-ca.pem"]
After comiting changes security script is performed, and on relative path ‘metadata_file’ is .xml file with metadata extracted from Jumpcloud.
On Jumpcloud side we are using SAML1.0 (tried with 2.0 variants, but its still SAML 2.0 communication)unspecified format for parsing SAMLSubject NameID.
Link for ACS is https://:5601/_opendistro/_security/saml/acs
Also mapping username-username, and constant attribute roles tried with “all_access” and “*”.
Everything seemed ok regarding configuration, rechecked couple of times with SAML Opendistro instruction for configuration, however still receiving this kind of URL (https://:5601/customerror?type=samlAuthError#?_g=()), and having no logs explaining the issue in both Kibana or Elasticsearch.
Also added respective lines in log4j2.properties in Elasticsearch (https://opendistro.github.io/for-elasticsearch-docs/docs/troubleshoot/saml/#inspect-the-saml-response), which generates no additional log.
If anyone has an idea what can be more looked into, please advice. I can add additional information if necessary.
Opendistro version is 1.4.0, and ELK version is 7.4.2.