Sign outgoing SAML messages
editSign outgoing SAML messages
editIf configured, Elastic Stack will sign outgoing SAML messages.
As a prerequisite, you need to generate a signing key and a self-signed
certificate. You need to share this certificate with your SAML Identity Provider
so that it can verify the received messages. The key needs to be unencrypted.
The exact procedure is system dependent, you can use for example openssl
:
openssl req -new -x509 -days 3650 -nodes -sha256 -out saml-sign.crt -keyout saml-sign.key
Place the files under the saml
folder and add them to the existing SAML bundle, or create a new one.
In our example, the certificate and the key will be located in the path
/app/config/saml/saml-sign.{crt,key}
:
$ tree . . └── saml ├── saml-sign.crt └── saml-sign.key
Make sure that the bundle is included with your deployment.
Adjust your realm configuration accordingly:
The path to the SAML signing certificate that was uploaded. |
|
The path to the SAML signing key that was uploaded. |
When configured with a signing key and certificate, Elastic Stack will sign
all outgoing messages (SAML Authentication Requests, SAML Logout Requests,
SAML Logout Responses) by default. This behavior can be altered by configuring
signing.saml_messages
appropriately with the comma separated list of messages
to sign. Supported values are AuthnRequest
, LogoutRequest
and LogoutResponse
and the default value is *
.
For example:
xpack: security: authc: realms: saml-realm-name: order: 2 ... signing.saml_messages: AuthnRequest ...
This configuration ensures that only SAML authentication requests will be sent signed to the Identity Provider. |
Optional settings
editThe following optional realm settings are supported:
-
force_authn
Specifies whether to set theForceAuthn
attribute when requesting that the IdP authenticate the current user. If set totrue
, the IdP is required to verify the user’s identity, irrespective of any existing sessions they might have. Defaults tofalse
. -
idp.use_single_logout
Indicates whether to utilise the Identity Provider’s<SingleLogoutService>
(if one exists in the IdP metadata file). Defaults totrue
.
After completing these steps, you can log in to Kibana by authenticating against your SAML IdP. If you encounter any issues with the configuration, refer to the SAML troubleshooting page which contains information about common issues and suggestions for their resolution.