I've got a lot further (replaced the beta of the Kibana plugin with the release version), but I'm now baffled. Elasticsearch is getting, and accepting, a SAML response from ADFS containing a user name and role. It creates a JWT token, but then says:
[2018-08-29T11:14:39,103][DEBUG][c.o.s.a.SamlResponse ] SAMLResponse has NameID --> in1012
[2018-08-29T11:14:39,163][DEBUG][c.f.d.a.h.s.Token ] Created JWT: eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE1MzU1Mzc2NzksImV4cCI6MTUzNTU0MTI3OSwic3ViIjoiaW4xMDEyIiwic2FtbF9zaSI6Il8wZTlhODEwOC03NWY4LTQ5OTktYjdjNi03MGVhMThmNDljODEiLCJyb2xlcyI6WyJzdGFmZiJdfQ.WqYTtYZaYaAeynycfr_jSQPrp0-no6PIA26CrXR9qRVCtDUt6JYH-8f2tZp0_d5kPtgdFOuaSLJK1dELhMl1iQ
{"alg":"HS512"}
{"nbf":1535537679,"exp":1535541279,"sub":"in1012","saml_si":"_0e9a8108-75f8-4999-b7c6-70ea18f49c81","roles":["staff"]}
[2018-08-29T11:14:39,240][WARN ][c.f.s.h.HTTPBasicAuthenticator] No 'Basic Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2018-08-29T11:14:39,258][DEBUG][c.f.s.a.BackendRegistry ] in1012 not cached, return from internal backend directly
[2018-08-29T11:14:39,259][DEBUG][c.f.s.a.BackendRegistry ] Can not authenticate in1012 due to com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[in1012 not found]
com.google.common.util.concurrent.UncheckedExecutionException: ElasticsearchSecurityException[in1012 not found]
I don't understand what it's up to. The Kibana log, even set to "debug", has little around this time - just the redirect from ADFS, and then the SAML error that appears onscreen:
{"type":"response","@timestamp":"2018-08-29T10:14:38Z","tags":[],"pid":9060,"method":"post","statusCode":302,"req":{"url":"/searchguard/saml/acs","method":"post","headers":{"host":"
jruby.wlv.ac.uk","connection":"keep-alive","content-length":"5205","cache-control":"max-age=0","origin":"
https://sso.wlv.ac.uk","upgrade-insecure-requests":"1","content-type":"application/x-www-form-urlencoded","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","referer":"
https://sso.wlv.ac.uk/adfs/ls/?SAMLRequest=fZJPU8IwEMW%2FSif3NC0tihlgBsE%2FzCAwgh68OEu7QKRNMJuAfHtL0REPesu83bdvf0naBGWxlT3v1voR3z2SCz7KQpOsCx3mrZYGSJHUUCJJl8lZ72EkG2Ekt9Y4k5mCnVn%2BdwARWqeMZsFw0GGT8c1ocjccv6ZJAohpwlvLPOdpCyIOzTjhUXNxUSkX2IQGC57RUuXtsGpUNYDI41CTA%2B0qKYpbPGrxxtU8jmScyvjyhQWDikdpcLVr7dyWpBBEJtwXuxCy0G8E5EsSBQkWTL9wrpXOlV79T7I4NZG8n8%2BnfDqZzVnQ%2B6brG02%2BRDtDu1MZPj2OftLfrF8cfvJlmiaCEGy2XnmwuTheooCMWLd9PMoa03Y3agEa%2BFFqi%2FNC%2B%2FSC42rD4WBqCpUdgltjS3B%2FA8RhXCsq58u6VXpNW8zUUmFecRSF2fctgsMOc9YjC0T3lPr7q3Q%2FAQ%3D%3D&client-request-id=1a1a8c26-bc26-4ba0-f805-008001000085","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9,en-GB;q=0.8"},"remoteAddress":"134.220.193.4","userAgent":"134.220.193.4","referer":"
https://sso.wlv.ac.uk/adfs/ls/?SAMLRequest=fZJPU8IwEMW%2FSif3NC0tihlgBsE%2FzCAwgh68OEu7QKRNMJuAfHtL0REPesu83bdvf0naBGWxlT3v1voR3z2SCz7KQpOsCx3mrZYGSJHUUCJJl8lZ72EkG2Ekt9Y4k5mCnVn%2BdwARWqeMZsFw0GGT8c1ocjccv6ZJAohpwlvLPOdpCyIOzTjhUXNxUSkX2IQGC57RUuXtsGpUNYDI41CTA%2B0qKYpbPGrxxtU8jmScyvjyhQWDikdpcLVr7dyWpBBEJtwXuxCy0G8E5EsSBQkWTL9wrpXOlV79T7I4NZG8n8%2BnfDqZzVnQ%2B6brG02%2BRDtDu1MZPj2OftLfrF8cfvJlmiaCEGy2XnmwuTheooCMWLd9PMoa03Y3agEa%2BFFqi%2FNC%2B%2FSC42rD4WBqCpUdgltjS3B%2FA8RhXCsq58u6VXpNW8zUUmFecRSF2fctgsMOc9YjC0T3lPr7q3Q%2FAQ%3D%3D&client-request-id=1a1a8c26-bc26-4ba0-f805-008001000085"},"res":{"statusCode":302,"responseTime":1064,"contentLength":9},"message":"POST /searchguard/saml/acs 302 1064ms - 9.0B"}
{"type":"ops","@timestamp":"2018-08-29T10:14:39Z","tags":[],"pid":9060,"os":{"load":[0.517578125,0.1748046875,0.17333984375],"mem":{"total":8376090624,"free":1717936128},"uptime":6134972},"proc":{"uptime":53.008,"mem":{"rss":168538112,"heapTotal":137834496,"heapUsed":125732328,"external":689483},"delay":1.7034826278686523},"load":{"requests":{"443":{"total":2,"disconnects":0,"statusCodes":{"302":1}}},"concurrents":{"443":5},"responseTimes":{"443":{"avg":1064,"max":1064}},"sockets":{"http":{"total":0},"https":{"total":0}}},"message":"memory: 119.9MB uptime: 0:00:53 load: [0.52 0.17 0.17] delay: 1.703"}
{"type":"response","@timestamp":"2018-08-29T10:14:39Z","tags":[],"pid":9060,"method":"get","statusCode":200,"req":{"url":"/customerror?type=samlAuthError","method":"get","headers":{"host":"
jruby.wlv.ac.uk","connection":"keep-alive","cache-control":"max-age=0","upgrade-insecure-requests":"1","user-agent":"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36","accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8","referer":"
https://sso.wlv.ac.uk/adfs/ls/?SAMLRequest=fZJPU8IwEMW%2FSif3NC0tihlgBsE%2FzCAwgh68OEu7QKRNMJuAfHtL0REPesu83bdvf0naBGWxlT3v1voR3z2SCz7KQpOsCx3mrZYGSJHUUCJJl8lZ72EkG2Ekt9Y4k5mCnVn%2BdwARWqeMZsFw0GGT8c1ocjccv6ZJAohpwlvLPOdpCyIOzTjhUXNxUSkX2IQGC57RUuXtsGpUNYDI41CTA%2B0qKYpbPGrxxtU8jmScyvjyhQWDikdpcLVr7dyWpBBEJtwXuxCy0G8E5EsSBQkWTL9wrpXOlV79T7I4NZG8n8%2BnfDqZzVnQ%2B6brG02%2BRDtDu1MZPj2OftLfrF8cfvJlmiaCEGy2XnmwuTheooCMWLd9PMoa03Y3agEa%2BFFqi%2FNC%2B%2FSC42rD4WBqCpUdgltjS3B%2FA8RhXCsq58u6VXpNW8zUUmFecRSF2fctgsMOc9YjC0T3lPr7q3Q%2FAQ%3D%3D&client-request-id=1a1a8c26-bc26-4ba0-f805-008001000085","accept-encoding":"gzip, deflate, br","accept-language":"en-US,en;q=0.9,en-GB;q=0.8"},"remoteAddress":"134.220.193.4","userAgent":"134.220.193.4","referer":"
https://sso.wlv.ac.uk/adfs/ls/?SAMLRequest=fZJPU8IwEMW%2FSif3NC0tihlgBsE%2FzCAwgh68OEu7QKRNMJuAfHtL0REPesu83bdvf0naBGWxlT3v1voR3z2SCz7KQpOsCx3mrZYGSJHUUCJJl8lZ72EkG2Ekt9Y4k5mCnVn%2BdwARWqeMZsFw0GGT8c1ocjccv6ZJAohpwlvLPOdpCyIOzTjhUXNxUSkX2IQGC57RUuXtsGpUNYDI41CTA%2B0qKYpbPGrxxtU8jmScyvjyhQWDikdpcLVr7dyWpBBEJtwXuxCy0G8E5EsSBQkWTL9wrpXOlV79T7I4NZG8n8%2BnfDqZzVnQ%2B6brG02%2BRDtDu1MZPj2OftLfrF8cfvJlmiaCEGy2XnmwuTheooCMWLd9PMoa03Y3agEa%2BFFqi%2FNC%2B%2FSC42rD4WBqCpUdgltjS3B%2FA8RhXCsq58u6VXpNW8zUUmFecRSF2fctgsMOc9YjC0T3lPr7q3Q%2FAQ%3D%3D&client-request-id=1a1a8c26-bc26-4ba0-f805-008001000085"},"res":{"statusCode":200,"responseTime":354,"contentLength":9},"message":"GET /customerror?type=samlAuthError 200 354ms - 9.0B"}
It seems like the authentication is succeeding, but Kibana is not happy in some way, since it's not sending Authorization headers to Elasticsearch. I'm baffled by this. Any ideas? I've attached the current config fies, and I can supply full logs for ES and Kibana, but the are big (~25M)