honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add sections in SAML Troubleshooting (#47964) (#48387) 

- Section about the case where the `principal` user property can't
be mapped.
- Section about when the IdP SAML metadata do not contain a
SingleSignOnService that supports HTTP-Redirect binding.

Co-Authored-By: Lisa Cawley <lcawley@elastic.co>
Co-Authored-By: Tim Vernum <tim@adjective.org>
This commit is contained in:
Ioannis Kakavas 2019-10-23 17:24:04 +03:00 committed by GitHub
parent 834f2b4546
commit cece5f24f7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 52 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
x-pack/docs/en/security/authentication/saml-guide.asciidoc
View File

@ -240,6 +240,7 @@ The recommended steps for configuring these SAML attributes are as follows:
in your IdP. In the example above, we have configured the `principal` and in your IdP. In the example above, we have configured the `principal` and
`groups` attributes. `groups` attributes.
[[saml-attribute-mapping-nameid]]
===== Special attribute names ===== Special attribute names
In general, {es} expects that the configured value for an attribute will be a In general, {es} expects that the configured value for an attribute will be a

51
x-pack/docs/en/security/troubleshooting.asciidoc
View File

@ -535,6 +535,57 @@ placeholder is used instead. To diagnose the _actual_ problem, you must check
the {es} logs for further details. the {es} logs for further details.
-- --
. *Symptoms:*
+
--
Authentication in {kib} fails and the following error is printed in the {es}
logs:
....
Authentication to realm <saml-realm-name> failed - SAML Attribute [<AttributeName0>] for
[xpack.security.authc.realms.saml.<saml-realm-name>.attributes.principal] not found in saml attributes
[<AttributeName1>=<AttributeValue1>, <AttributeName2>=<AttributeValue2>, ...] or NameID [ NameID(format)=value ]
....
*Resolution:*
This error indicates that {es} failed to find the necessary SAML attribute in the SAML response that the
Identity Provider sent. In this example, {es} is configured as follows:
....
xpack.security.authc.realms.saml.<saml-realm-name>.attributes.principal: AttributeName0
....
This configuration means that {es} expects to find a SAML Attribute with the name `AttributeName0` or a `NameID` with the appropriate format in the SAML
response so that <<saml-attribute-mapping,it can map it>> to the `principal` user property. The `principal` user property is a
mandatory one, so if this mapping can't happen, the authentication fails.
If you are attempting to map a `NameID`, make sure that the expected `NameID` format matches the one that is sent.
See <<saml-attribute-mapping-nameid>> for more details.
If you are attempting to map a SAML attribute and it is not part of the list in the error message, it might mean
that you have misspelled the attribute name, or that the IdP is not sending this particular attribute. You might
be able to use another attribute from the list to map to `principal` or consult with your IdP administrator to
determine if the required attribute can be sent.
--
. *Symptoms:*
+
--
Authentication in {kib} fails and the following error is printed in the {es}
logs:
....
Cannot find [{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor]/[urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect] in descriptor
....
*Resolution:*
This error indicates that the SAML metadata for your Identity Provider do not contain a `<SingleSignOnService>` endpoint with binding of
HTTP-Redirect (urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect). {es} supports only the `HTTP-Redirect` binding for SAML authentication
requests (and it doesn't support the `HTTP-POST` binding). Consult your IdP administrator in order to enable at least one
`<SingleSignOnService>` supporting `HTTP-Redirect` binding and update your IdP SAML Metadata.
--
. *Symptoms:* . *Symptoms:*
+ +
-- --