【发布时间】:2020-02-26 19:42:56
【问题描述】:
我正在尝试将 SSO 与 Kibana 和 SAML 集成。我正在使用 Auth0。 以下是我在 yml 文件中的设置
kibana.yml
elasticsearch.hosts: ["https://localhost:9200"]
xpack.security.enabled: true
elasticsearch.ssl.certificate: D:/Piyusha/Extracted/kibana-7.4.1-windows-x86_64/config/certs/client.cer
elasticsearch.ssl.key: D:/Piyusha/Extracted/kibana-7.4.1-windows-x86_64/config/certs/client.key
elasticsearch.ssl.certificateAuthorities: D:/Piyusha/Extracted/kibana-7.4.1-windows-x86_64/config/certs/client-ca.cer
elasticsearch.ssl.verificationMode: certificate
xpack.security.authc.providers: [saml]
xpack.security.authc.saml.realm: saml1
server.xsrf.whitelist: [/api/security/v1/saml]
elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.truststore.path: certs/elastic-certificates.p12
xpack.security.http.ssl.client_authentication: optional
xpack.security.authc.realms.pki.pki1.order: 0
xpack.security.authc.token.enabled: true
xpack.security.authc.realms.saml.saml1:
order: 2
idp.metadata.path: saml/dev-zl4z3q20_auth0_com-metadata.xml
sp.entity_id: "http://localhost:5601"
idp.entity_id: "urn:dev-zl4z3q20.auth0.com"
sp.acs: "http://localhost:5601/api/security/v1/saml"
sp.logout: "http://localhost:5601/logout"
attributes.principal: "urn:oid:0.9.2342.19200300.100.1.1"
attributes.groups: "urn:oid:1.3.6.1.4.1.5923.1.5.1."
在添加 saml 设置之前,一切正常,如身份验证等。但是在添加 saml 配置后,kibana url 重定向到错误页面
https://dev-zl4z3q20.auth0.com/samlp/brGsd0sUh18u1oremCeu58L4FxrExgxf?SAMLRequest=fVJbb9sgGP0riHfb4FtSFKfKkmWLlHVR4%2FRhLxPGuEHC4PLhLO2vn3Pp1ElVXuHcOIfJ%2FbHV6CAdKGsKTEOCkTTC1so8F3hXLoMxvp9OgLc67tis93vzKF96CR4NRAPsclPg3hlmOShghrcSmBdsO%2FuxZnFIWOest8JqjGYA0vnBam4N9K10W%2BkOSsjd47rAe%2B87FkXaCq73FjzLckIj3qkIpOid8q%2FRgUYnQ4wWQwJluD%2BnPhFhYNbyELzp9C15iUnIh6wkFLY9M7qoct%2BgJrDb03FPrZPtXPbZeJ0uj%2B7r8fnYYLRaFPh3mjUiz0iV8CRPBaWjOq5jwZPxuBqleU6qu0aMuEgHOEAvVwY8N77AMaF3ASVBQksaszhlWRzmGf2F0eb6%2Bi%2FKXFq9VVV1AQH7XpabYPNzW2L09L7OAMDXLdjZ3X0c4bYwf28eTz%2FteRJ91P23%2BMMgtFpsrFbiFc20tn%2FmTnIvC9xwDRKjpXUt97e9TyeqDpozlHnHDShpPI6mV9f%2Ff9b0Lw%3D%3D
并给出以下错误
invalid_request: The SAML Request AssertionConsumerServiceURL is invalid: 'http://localhost:5601/api/security/v1/saml'
TRACKING ID: c682d69fc2f95872f203
【问题讨论】:
-
这似乎意味着 IdP 的 sp.acs 与 kibana.yml 中的不同
-
@codebrane 以及如何在 IdP 中检查 sp.acs?
-
IdP 应该有关于 SP 的元数据。如果 ACS 的值与 sp.acs 不匹配,您会看到该错误
标签: elasticsearch kibana saml-2.0 auth0