SAML and OpenID officially released with Search Guard v23
211 views
Skip to first unread message
Jochen Kressin
Aug 16, 2018, 9:16:46 AM8/16/18
to Search Guard Community Forum
Hi all,
we have released Search Guard v23 and Kibana Plugin v14 which add SAML and OpenID support. Choose your favorite identity provider like Keycloak, Okta, Auth0 or OneLogin and enjoy painless and easy Kibana Single Sign-On!
Besides OpenID and SAML, the new Kibana plugin version comes with numerous fixes and improvements:
If your keen on trying out SAML or OpenID, make sure to check our blog posts and the official documentation:
We have merged the Search Guard Enterprise and Compliance Edition into one codebase. That means that you get all features of Search Guard in a single download. The availability of the features is merely controlled by the license. This means you can switch between Community, Enterprise and Compliance on a running system. No need for installing another plugin version or restarting your cluster.
We hope you enjoy the new features as much as we do! If you have any questions or feature requests please let us know!
Jochen and the Search Guard team
-----------------------------------------------------------------------------------------------------------------------------------
Search Guard (®) is an Elasticsearch plugin that offers encryption, authentication, and authorization.
Coded with love in Berlin, Denmark, Sweden and the US.
Search Guard is a trademark of floragunn GmbH, registered in the U.S. and in other countries.
Elasticsearch, Kibana, Logstash, and Beats are trademarks of Elasticsearch BV, registered in the U.S. and in other countries.
Max Caines
Aug 28, 2018, 12:25:37 PM8/28/18
to search...@googlegroups.com
HI Jochen
I'm trying to set up SAML authentication for Searchguard using Microsoft ADFS 3 as my IdP. I've got it to the stage where I get redirected to ADFS to authenticate, but when my browser is redirected to the Assertion Consumer URL (/searchguard/saml/acs) I get a 404 error on screen and in the Kibana log. Any ideas what I should be looking at?
Thanks
Max
* Search Guard and Elasticsearch version: ES 6.2.4, SG 6.2.4-23.0, Kibana/SG 6.2.4-14beta1
* Installed and used enterprise modules, if any: SAML
* JVM version and operating system version: Oracle Java 8u171-1, Debian 9.4
* Search Guard configuration files: attached
* Elasticsearch log messages on debug level: don't currently have these available
* Other installed Elasticsearch or Kibana plugins, if any: none
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/88467f73-1748-419b-9b11-aa331dd88593%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Jochen Kressin
Aug 28, 2018, 2:36:37 PM8/28/18
to search...@googlegroups.com
Did you add the ACS enndpoint to the xsrf wihitelist?
server.xsrf.whitelist: ["/searchguard/saml/acs", "/searchguard/saml/logout"]We have customers using SAML with ADFS, so it is known to work.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
Max Caines
Aug 28, 2018, 3:26:12 PM8/28/18
to search...@googlegroups.com
Hi Jochen
Yes, I did. I’m assuming that goes in kibana.yml. I guess I should check for typos. Good to hear that I’m not the first using ADFS
Thanks
Max
On Tue, 28 Aug 2018 at 19:36, Jochen Kressin <jkre...@floragunn.com> wrote:
Did you add the ACS enndpoint to the xsfrf wihitelist?
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/88467f73-1748-419b-9b11-aa331dd88593%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/f4fa2a03-c297-4da2-8e67-2c8f98887790%40googlegroups.com.
Max Caines
Aug 29, 2018, 6:33:33 AM8/29/18
to search...@googlegroups.com
Hi Jochen
I've got a lot further (replaced the beta of the Kibana plugin with the release version), but I'm now baffled. Elasticsearch is getting, and accepting, a SAML response from ADFS containing a user name and role. It creates a JWT token, but then says:
[2018-08-29T11:14:39,103][DEBUG][c.o.s.a.SamlResponse ] SAMLResponse has NameID --> in1012
[2018-08-29T11:14:39,146][DEBUG][c.o.s.a.SamlResponse ] SAMLResponse has attributes: {http://schemas.microsoft.com/ws/2008/06/identity/claims/role=[staff]}
[2018-08-29T11:14:39,163][DEBUG][c.f.d.a.h.s.Token ] Created JWT: eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE1MzU1Mzc2NzksImV4cCI6MTUzNTU0MTI3OSwic3ViIjoiaW4xMDEyIiwic2FtbF9zaSI6Il8wZTlhODEwOC03NWY4LTQ5OTktYjdjNi03MGVhMThmNDljODEiLCJyb2xlcyI6WyJzdGFmZiJdfQ.WqYTtYZaYaAeynycfr_jSQPrp0-no6PIA26CrXR9qRVCtDUt6JYH-8f2tZp0_d5kPtgdFOuaSLJK1dELhMl1iQ
{"alg":"HS512"}
{"nbf":1535537679,"exp":1535541279,"sub":"in1012","saml_si":"_0e9a8108-75f8-4999-b7c6-70ea18f49c81","roles":["staff"]}
[2018-08-29T11:14:39,240][WARN ][c.f.s.h.HTTPBasicAuthenticator] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2018-08-29T11:14:39,258][DEBUG][c.f.s.a.BackendRegistry ] in1012 not cached, return from internal backend directly
[2018-08-29T11:14:39,259][DEBUG][c.f.s.a.BackendRegistry ] Can not authenticate in1012 due to com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[in1012 not found]
com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[in1012 not found]
I don't understand what it's up to. The Kibana log, even set to "debug", has little around this time - just the redirect from ADFS, and then the SAML error that appears onscreen:
{"type":"response","@timestamp":"2018-08-29T10:14:38Z","tags":[],"pid":9060,"method":"post","statusCode":302,"req":{"url":"/searchguard/saml/acs","method":"post","headers":{"host":"jruby.wlv.ac.uk","connection":"keep-alive","content-length":"5205","cache-control":"max-age=0","origin":"https://sso.wlv.ac.uk","upgrade-insecure-requests":"1","content-type":"application/x-www-form-urlencoded","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","referer":"https://sso.wlv.ac.uk/adfs/ls/?SAMLRequest=fZJPU8IwEMW%2FSif3NC0tihlgBsE%2FzCAwgh68OEu7QKRNMJuAfHtL0REPesu83bdvf0naBGWxlT3v1voR3z2SCz7KQpOsCx3mrZYGSJHUUCJJl8lZ72EkG2Ekt9Y4k5mCnVn%2BdwARWqeMZsFw0GGT8c1ocjccv6ZJAohpwlvLPOdpCyIOzTjhUXNxUSkX2IQGC57RUuXtsGpUNYDI41CTA%2B0qKYpbPGrxxtU8jmScyvjyhQWDikdpcLVr7dyWpBBEJtwXuxCy0G8E5EsSBQkWTL9wrpXOlV79T7I4NZG8n8%2BnfDqZzVnQ%2B6brG02%2BRDtDu1MZPj2OftLfrF8cfvJlmiaCEGy2XnmwuTheooCMWLd9PMoa03Y3agEa%2BFFqi%2FNC%2B%2FSC42rD4WBqCpUdgltjS3B%2FA8RhXCsq58u6VXpNW8zUUmFecRSF2fctgsMOc9YjC0T3lPr7q3Q%2FAQ%3D%3D&client-request-id=1a1a8c26-bc26-4ba0-f805-008001000085","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9,en-GB;q=0.8"},"remoteAddress":"134.220.193.4","userAgent":"134.220.193.4","referer":"https://sso.wlv.ac.uk/adfs/ls/?SAMLRequest=fZJPU8IwEMW%2FSif3NC0tihlgBsE%2FzCAwgh68OEu7QKRNMJuAfHtL0REPesu83bdvf0naBGWxlT3v1voR3z2SCz7KQpOsCx3mrZYGSJHUUCJJl8lZ72EkG2Ekt9Y4k5mCnVn%2BdwARWqeMZsFw0GGT8c1ocjccv6ZJAohpwlvLPOdpCyIOzTjhUXNxUSkX2IQGC57RUuXtsGpUNYDI41CTA%2B0qKYpbPGrxxtU8jmScyvjyhQWDikdpcLVr7dyWpBBEJtwXuxCy0G8E5EsSBQkWTL9wrpXOlV79T7I4NZG8n8%2BnfDqZzVnQ%2B6brG02%2BRDtDu1MZPj2OftLfrF8cfvJlmiaCEGy2XnmwuTheooCMWLd9PMoa03Y3agEa%2BFFqi%2FNC%2B%2FSC42rD4WBqCpUdgltjS3B%2FA8RhXCsq58u6VXpNW8zUUmFecRSF2fctgsMOc9YjC0T3lPr7q3Q%2FAQ%3D%3D&client-request-id=1a1a8c26-bc26-4ba0-f805-008001000085"},"res":{"statusCode":302,"responseTime":1064,"contentLength":9},"message":"POST /searchguard/saml/acs 302 1064ms - 9.0B"}
{"type":"ops","@timestamp":"2018-08-29T10:14:39Z","tags":[],"pid":9060,"os":{"load":[0.517578125,0.1748046875,0.17333984375],"mem":{"total":8376090624,"free":1717936128},"uptime":6134972},"proc":{"uptime":53.008,"mem":{"rss":168538112,"heapTotal":137834496,"heapUsed":125732328,"external":689483},"delay":1.7034826278686523},"load":{"requests":{"443":{"total":2,"disconnects":0,"statusCodes":{"302":1}}},"concurrents":{"443":5},"responseTimes":{"443":{"avg":1064,"max":1064}},"sockets":{"http":{"total":0},"https":{"total":0}}},"message":"memory: 119.9MB uptime: 0:00:53 load: [0.52 0.17 0.17] delay: 1.703"}
{"type":"response","@timestamp":"2018-08-29T10:14:39Z","tags":[],"pid":9060,"method":"get","statusCode":200,"req":{"url":"/customerror?type=samlAuthError","method":"get","headers":{"host":"jruby.wlv.ac.uk","connection":"keep-alive","cache-control":"max-age=0","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","referer":"https://sso.wlv.ac.uk/adfs/ls/?SAMLRequest=fZJPU8IwEMW%2FSif3NC0tihlgBsE%2FzCAwgh68OEu7QKRNMJuAfHtL0REPesu83bdvf0naBGWxlT3v1voR3z2SCz7KQpOsCx3mrZYGSJHUUCJJl8lZ72EkG2Ekt9Y4k5mCnVn%2BdwARWqeMZsFw0GGT8c1ocjccv6ZJAohpwlvLPOdpCyIOzTjhUXNxUSkX2IQGC57RUuXtsGpUNYDI41CTA%2B0qKYpbPGrxxtU8jmScyvjyhQWDikdpcLVr7dyWpBBEJtwXuxCy0G8E5EsSBQkWTL9wrpXOlV79T7I4NZG8n8%2BnfDqZzVnQ%2B6brG02%2BRDtDu1MZPj2OftLfrF8cfvJlmiaCEGy2XnmwuTheooCMWLd9PMoa03Y3agEa%2BFFqi%2FNC%2B%2FSC42rD4WBqCpUdgltjS3B%2FA8RhXCsq58u6VXpNW8zUUmFecRSF2fctgsMOc9YjC0T3lPr7q3Q%2FAQ%3D%3D&client-request-id=1a1a8c26-bc26-4ba0-f805-008001000085","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9,en-GB;q=0.8"},"remoteAddress":"134.220.193.4","userAgent":"134.220.193.4","referer":"https://sso.wlv.ac.uk/adfs/ls/?SAMLRequest=fZJPU8IwEMW%2FSif3NC0tihlgBsE%2FzCAwgh68OEu7QKRNMJuAfHtL0REPesu83bdvf0naBGWxlT3v1voR3z2SCz7KQpOsCx3mrZYGSJHUUCJJl8lZ72EkG2Ekt9Y4k5mCnVn%2BdwARWqeMZsFw0GGT8c1ocjccv6ZJAohpwlvLPOdpCyIOzTjhUXNxUSkX2IQGC57RUuXtsGpUNYDI41CTA%2B0qKYpbPGrxxtU8jmScyvjyhQWDikdpcLVr7dyWpBBEJtwXuxCy0G8E5EsSBQkWTL9wrpXOlV79T7I4NZG8n8%2BnfDqZzVnQ%2B6brG02%2BRDtDu1MZPj2OftLfrF8cfvJlmiaCEGy2XnmwuTheooCMWLd9PMoa03Y3agEa%2BFFqi%2FNC%2B%2FSC42rD4WBqCpUdgltjS3B%2FA8RhXCsq58u6VXpNW8zUUmFecRSF2fctgsMOc9YjC0T3lPr7q3Q%2FAQ%3D%3D&client-request-id=1a1a8c26-bc26-4ba0-f805-008001000085"},"res":{"statusCode":200,"responseTime":354,"contentLength":9},"message":"GET /customerror?type=samlAuthError 200 354ms - 9.0B"}
It seems like the authentication is succeeding, but Kibana is not happy in some way, since it's not sending Authorization headers to Elasticsearch. I'm baffled by this. Any ideas? I've attached the current config fies, and I can supply full logs for ES and Kibana, but the are big (~25M)
Thanks
Max
Max Caines
Aug 29, 2018, 7:39:35 AM8/29/18
to search...@googlegroups.com
Hi Jochen
OK, sorted. The problem was that I had too much indentation on the "authentication_backend" line in the "saml" section of "sg_config.yml". As a result the authentication backend was defaulting to "internal", and my account is not listed in that backend. The use of indentation to structure YML files makes them easy to write, but also easy to screw up!
Thanks
Max
Jochen Kressin
Aug 29, 2018, 12:43:00 PM8/29/18
to Search Guard Community Forum
Hi Max, glad you sorted it out. I think we will need to provide some tools to check the configs in future, it's too easy to make mistakes in yaml ;)
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/88467f73-1748-419b-9b11-aa331dd88593%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages