From cece5f24f704fc9a436b5ff9b4d386edf63c08a5 Mon Sep 17 00:00:00 2001 From: Ioannis Kakavas Date: Wed, 23 Oct 2019 17:24:04 +0300 Subject: [PATCH] Add sections in SAML Troubleshooting (#47964) (#48387) - Section about the case where the `principal` user property can't be mapped. - Section about when the IdP SAML metadata do not contain a SingleSignOnService that supports HTTP-Redirect binding. Co-Authored-By: Lisa Cawley Co-Authored-By: Tim Vernum --- .../authentication/saml-guide.asciidoc | 1 + .../docs/en/security/troubleshooting.asciidoc | 51 +++++++++++++++++++ 2 files changed, 52 insertions(+) diff --git a/x-pack/docs/en/security/authentication/saml-guide.asciidoc b/x-pack/docs/en/security/authentication/saml-guide.asciidoc index 36e5ddfc47b..e425aeb2c3a 100644 --- a/x-pack/docs/en/security/authentication/saml-guide.asciidoc +++ b/x-pack/docs/en/security/authentication/saml-guide.asciidoc @@ -240,6 +240,7 @@ The recommended steps for configuring these SAML attributes are as follows: in your IdP. In the example above, we have configured the `principal` and `groups` attributes. +[[saml-attribute-mapping-nameid]] ===== Special attribute names In general, {es} expects that the configured value for an attribute will be a diff --git a/x-pack/docs/en/security/troubleshooting.asciidoc b/x-pack/docs/en/security/troubleshooting.asciidoc index 31412708399..b97a53639fe 100644 --- a/x-pack/docs/en/security/troubleshooting.asciidoc +++ b/x-pack/docs/en/security/troubleshooting.asciidoc @@ -535,6 +535,57 @@ placeholder is used instead. To diagnose the _actual_ problem, you must check the {es} logs for further details. -- +. *Symptoms:* ++ +-- +Authentication in {kib} fails and the following error is printed in the {es} +logs: + +.... +Authentication to realm failed - SAML Attribute [] for +[xpack.security.authc.realms.saml..attributes.principal] not found in saml attributes +[=, =, ...] or NameID [ NameID(format)=value ] +.... + +*Resolution:* + +This error indicates that {es} failed to find the necessary SAML attribute in the SAML response that the +Identity Provider sent. In this example, {es} is configured as follows: +.... +xpack.security.authc.realms.saml..attributes.principal: AttributeName0 +.... +This configuration means that {es} expects to find a SAML Attribute with the name `AttributeName0` or a `NameID` with the appropriate format in the SAML +response so that <> to the `principal` user property. The `principal` user property is a +mandatory one, so if this mapping can't happen, the authentication fails. + +If you are attempting to map a `NameID`, make sure that the expected `NameID` format matches the one that is sent. +See <> for more details. + +If you are attempting to map a SAML attribute and it is not part of the list in the error message, it might mean +that you have misspelled the attribute name, or that the IdP is not sending this particular attribute. You might +be able to use another attribute from the list to map to `principal` or consult with your IdP administrator to +determine if the required attribute can be sent. + +-- + +. *Symptoms:* ++ +-- +Authentication in {kib} fails and the following error is printed in the {es} +logs: + +.... +Cannot find [{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor]/[urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect] in descriptor +.... + +*Resolution:* + +This error indicates that the SAML metadata for your Identity Provider do not contain a `` endpoint with binding of +HTTP-Redirect (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect). {es} supports only the `HTTP-Redirect` binding for SAML authentication +requests (and it doesn't support the `HTTP-POST` binding). Consult your IdP administrator in order to enable at least one +`` supporting `HTTP-Redirect` binding and update your IdP SAML Metadata. +-- + . *Symptoms:* + --