Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] - Problem using RelayState in IdP-Initiated Flow #115216

Closed
medina325 opened this issue Oct 15, 2021 · 3 comments
Closed

[Security Solution] - Problem using RelayState in IdP-Initiated Flow #115216

medina325 opened this issue Oct 15, 2021 · 3 comments
Labels
bug Fixes for quality problems that affect the customer experience Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! triage_needed

Comments

@medina325
Copy link

medina325 commented Oct 15, 2021
edited
Loading

Describe the bug:
As I described here I set up Elastic/Kibana Relying Party (RP) as a SAML Service Provider (SP) and a custom SAML Identity Provider (IdP). Both IdP and SP flows work fine, however I need to redirect the user to specific dashboards in Kibana, from my IdP.
By reading this and this I thought I could do that just by adding a RelayState to my "IdP initiated SAML Response" with the appropriate deeplink to one of my Kibana's dashboards.
What I get instead is Kibana making a GET request to it's ACS url and appending the RelayState's deeplink in the end, after my IdP gets redirected to {kibana_url}/api/security/saml/call.

Kibana/Elasticsearch Stack version:
7.15

Server OS version:
Windows 10

Browser and Browser OS versions:
Firefox, Edge, Chrome

Elastic Endpoint version:
I don't know.

Original install method (e.g. download page, yum, from source, etc.):
Download page.

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
I don't know.

Steps to reproduce:

  1. Set up Elastic and Kibana Relying Party as SAML Service Provider (don't forget to set xpack.security.authc.providers.saml.<provider_name>.useRelayStateDeepLink to true)
  2. Set up a custom IdP that supports the use of the RelayState parameter (I used this package since my IdP is a Laravel app).
  3. Initiate an IdP initiated flow passing the RelayState parameter with the SAML Response.

Current behavior:
After IdP initiated flow with RelayState, Kibana tries to make a GET request do it's ACS url with RelayState's deeplink appended to it.

Expected behavior:
Kibana redirects to deeplink.

Screenshots (if relevant):
image

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context (logs, chat logs, magical formulas, etc.):
I'm quite new to SAML, did I understand the purpose of RelayState wrong? This is the definition I read:
image

Any help will be highly appreciated
@medina325 medina325 added bug Fixes for quality problems that affect the customer experience Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed labels Oct 15, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@MadameSheema MadameSheema added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! and removed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Oct 20, 2021
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@medina325
Copy link
Author

The problem was solved here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! triage_needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@elasticmachine @MadameSheema @medina325