search

opendistro-for-elasticsearch / security

Apache License 2.0
17 stars 26 forks source link

SAML issue on logout (with Signing Request) #1

Open dariommr opened 3 years ago

dariommr commented 3 years ago

Description An issue is presented when logging out from OpenDistro when using Single Log Out with certificates. Error in the logout: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}

Versions Tested:

Steps to Reproduce

  1. Install Elasticsearch-oss and Kibana-oss
  2. Install all the modules of OpenDistro Plugin for Elastic and Kibana
  3. Configure the Plugins and the IDP Provider I went through the Request signing documentation and configured this with PingID.

Configuration config.yml

sp:
  entity_id: saml
  forceAuthn: true
  signature_private_key_filepath: '/etc/elasticsearch/certs/elasticsearch.key'

On the Identity Provider side, I configured this SLO: https://<kibana_ip>/auth/logout and provided the .pem certificate. On the kibana.yml file I’ve configured this:

opendistro_security.auth.type: "saml"
server.xsrf.whitelist: ["/_opendistro/_security/saml/acs/idpinitiated", "/_opendistro/_security/saml/acs", "/_opendistro/_security/saml/logout", "/auth/logout"]

PingID SAML Settings

Expected behavior After the configuration, the user will attempt to logout and it should be redirected either to the logout page (of the SSO provider), or the login page (depending on the configuration)

I hope all of this could be helpful to solve the issue.

dariommr commented 3 years ago

On versions, prior to 1.12 the issue is not presented. You can check this question in your forums: https://discuss.opendistrocommunity.dev/t/saml-issue-on-logout/5617

peterzhuamazon commented 3 years ago

Hi @dariommr since this is related to security, will transfer you to their repo issues. Thanks.

dariommr commented 3 years ago

Hello Team, Any update on this?