Integrate FusionAuth with Elastic Cloud

vexana

Hi Everyone,

I am trying to integrate FusionAuth(v1.23.2) as Identity Provider to my Elastic Cloud(v7.10.2).

I configure the Application (SAML) on the FusionAuth side and adding some config changes to my elastic cloud (creating realm with name saml1):

elasticsearch.yaml

xpack: 
  security: 
    authc: 
      realms: 
        saml: 
          saml1: 
            attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
            attributes.groups: "roles"
            idp.entity_id: "xxx"
            idp.metadata.path: "xxx"
            order: 2
            sp.acs: "xxx/api/security/v1/saml"
            sp.entity_id: "xxx/"
            sp.logout: "xxx/logout"

kibana.yaml

xpack.security.authc.providers:
  saml.saml1:
    order: 0
    realm: saml1
    description: "Log in with SAML" 
  basic.basic1:
    order: 1

The login via SAML failed and give me this error on Kibana side

{"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [<unauthenticated-saml-user>] for action [cluster:admin/xpack/security/saml/authenticate], with { header={ WWW-Authenticate={ 0=\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\" & 1=\"Bearer realm=\\\"security\\\"\" & 2=\"ApiKey\" } } }"}

And, I'm finding the error on the FusionAuth side related to the NameID

The SAML AuthnRequest was invalid and/or did not pass validation. The error code is [InvalidNameIDPolicy] and the error message is [The AuthnRequest contained an invalid NameId policy. FusionAuth only supports the [urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress] or [urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified] policy]

Is there anyone facing some problem?

robotdan

What NameIdPolicy options does Kibana support?

vexana

@robotdan said in Integrate FusionAuth with Elastic Cloud:

NameIdPolicy

By referring to this documentation https://www.elastic.co/guide/en/elasticsearch/reference/master/saml-guide-authentication.html#saml-attribute-mapping,

It's only mentioned nameid, nameid:persistent and friendlyName.

robotdan

Likely the same issue as described here https://github.com/FusionAuth/fusionauth-issues/issues/522

vexana

Got it.

So, currently it's only support urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress from FusionAuth side, right?

robotdan

I believe that is correct.

https://github.com/FusionAuth/fusionauth-issues/issues/522#issuecomment-685851566

@dan do we have this limitation documented anywhere that you know of?

@vexana you can add a comment to that issue if you want to mention it also impacts integration with Elasticsearch SAML authentication.

If Elasticsearch supports OpenID Connect, that may be an option for you.

dan

@robotdan no, we don't. I'll document that in the https://fusionauth.io/docs/v1/tech/reference/limitations/ section.

dan

Looks like you can also integrate to elastic cloud using OIDC: https://discuss.elastic.co/t/elastic-cloud-integration-with-fusionauth/263323

vexana

@dan Yap, I am the same person asking about that. I am asking on the elastic forum about the OIDC.

Currently, still having a problem integrating it. (I'll update on here also if finding the solution).

dan

@vexana It seems like you succeeded based on the last post. Is that the case?

dan

@vexana succeeded, but had another question, so I forked the topic: https://fusionauth.io/community/forum/topic/811/mapping-fusionauth-roles-to-elasticsearch