Skip to content
This repository has been archived by the owner on May 3, 2021. It is now read-only.

SAML issue on logout (with Signing Request) #1

Open
dariommr opened this issue Apr 19, 2021 · 3 comments
Open

SAML issue on logout (with Signing Request) #1

dariommr opened this issue Apr 19, 2021 · 3 comments

Comments

@dariommr
Copy link

Description
An issue is presented when logging out from OpenDistro when using Single Log Out with certificates.
Error in the logout:
{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}

Versions Tested:

  • 1.12
  • 1.13

Steps to Reproduce

  1. Install Elasticsearch-oss and Kibana-oss
  2. Install all the modules of OpenDistro Plugin for Elastic and Kibana
  3. Configure the Plugins and the IDP Provider
    I went through the Request signing documentation and configured this with PingID.

Configuration
config.yml

sp:
  entity_id: saml
  forceAuthn: true
  signature_private_key_filepath: '/etc/elasticsearch/certs/elasticsearch.key'

On the Identity Provider side, I configured this SLO: https://<kibana_ip>/auth/logout and provided the .pem certificate.
On the kibana.yml file I’ve configured this:

opendistro_security.auth.type: "saml"
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/auth/logout"]

PingID SAML Settings

  • ACS URLS: https://10.10.10.15/_opendistro/_security/saml/acs
  • SIGNING CERTIFICATE: PingOne SSO Certificate for Administrators environment
  • Sing Assertion & Response: Enabled
  • SIGNING ALGORITHM: RSA_SHA256
  • ENCRYPTION Disabled
  • ENTITY ID: saml
  • SLO ENDPOINT: https://10.10.10.15/_opendistro/_security/saml/logout [OR] https://10.10.10.15/auth/logout
  • SLO RESPONSE ENDPOINT: blank
  • SLO BINDING: HTTP Redirect
  • ASSERTION VALIDITY DURATION: 3600
  • Enforce Signed Authn Request: Enabled
  • VERIFICATION CERTIFICATE: node-1 (elasticsearch) Valid 03-21 to 03-31

Expected behavior
After the configuration, the user will attempt to logout and it should be redirected either to the logout page (of the SSO provider), or the login page (depending on the configuration)

I hope all of this could be helpful to solve the issue.
@dariommr
Copy link
Author

On versions, prior to 1.12 the issue is not presented. You can check this question in your forums: https://discuss.opendistrocommunity.dev/t/saml-issue-on-logout/5617

@peterzhuamazon
Copy link
Contributor

Hi @dariommr since this is related to security, will transfer you to their repo issues.
Thanks.

@peterzhuamazon peterzhuamazon transferred this issue from opendistro-for-elasticsearch/opendistro-build Apr 23, 2021
@dariommr
Copy link
Author

Hello Team,
Any update on this?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dariommr @peterzhuamazon