Skip to content

Fixes list continuation issues #293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 12, 2019
Merged

Fixes list continuation issues #293

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 7 additions & 9 deletions docs/en/stack/security/troubleshooting.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -444,52 +444,50 @@ Assertion Consumer Service URL of the SAML Service Provider is.
.. {kib} constructs this value using the `server.host` and `server.port` in
`kibana.yml`. For instance:
+
--
[source, shell]
-----------------------------------------------
server.host: kibanaserver.org
server.port: 3456
-----------------------------------------------

+
These settings would mean that {kib} would construct the Assertion Consumer
Service URL as `https://kibanaserver.org:3456/api/secuirity/v1/saml`. However,
if for example, {kib} is behind a reverse proxy and you have configured the
following `xpack.security.public.*` settings:

+
[source, shell]
-----------------------------------------------
xpack.security.public:
protocol: https
hostname: kibana.proxy.com
port: 8080
-----------------------------------------------

+
These settings would instruct {kib} to construct the Assertion Consumer Service
URL as `https://kibana.proxy.com:8080/api/secuirity/v1/saml`
--

.. The SAML Identity Provider is either explicitly configured by the IdP
administrator or consumes the SAML metadata that are generated by {es} and as
such contain the same value for the Assertion Consumer Service URL as the one
that is configured in the the `sp.acs` setting in the {es} SAML realm
configuration.

--
+
The error encountered here indicates that the Assertion Consumer Service URL
that {kib} has constructed via one of the aforementioned ways
(`https://my.kibana.url/api/security/v1/saml`) is not the one that {es} is
configured with. Note that these two URLs are compared as case-sensitive strings
and not as canonicalized URLs.

+
Often, this can be resolved by changing the `sp.acs` URL in `elasticearch.yml`
to match the value that {kib} has constructed. Note however, that the SAML IdP
configuration needs to also be adjusted to reflect this change.

+
Alternatively, if you think {kib} is using the wrong value for the Assertion
Consumer Service URL, you will need to change the configuration in `kibana.yml`
by adjusting either the `server.host` and `server.port` to change the URL {kib}
listens to or the `xpack.security.public.*` settings to make {kib} aware about
its correct public URL.
--

. *Symptoms:*
+
Expand Down