-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SAML redirect and Kibana's hash based routing #18392
Comments
Original comment by @toddferg: Just attempted duplicating the problem. I was able to duplicate it on 6.2.3. If I am already authenticated to Kibana/okta I am transferred in just fine. |
Original comment by @azasypkin:
User should be brought not to default application, but to the application that initiated SAML handshake ( URL fragment is a different story as server doesn't have access to it, so HTTP/1.1 7.1.2 instructs browsers to preserve URL fragment if it's not overridden in the For unathenticated users (without active IdP session) URL fragment is lost at the IdP login page as it uses FORM POST to redirect user back to Kibana and obviously doesn't preserve URL fragment. Some old custom IdPs used to extract URL fragments with the help of JavaScript and used it in login form The best solution is to get rid of fragment-based URLs in Kibana. It's a huge breaking change that we should do eventually though. But for now I can only think of custom "mediator" client side page:
Note: SAML redirect URL is constructed by ES so it would be reasonable for ES to include |
Pinging @elastic/kibana-security |
Re-evaluating what I wrote in #18392 (comment) and other possible options.... |
I gave this problem some thought today and I think it's better to split the solution for it into two parts: 1. capturing full URL to redirect user to after successful SAML handshake Capturing URLCurrently when unauthenticated user navigates to Kibana and we want to start a SAML handshake we grab current URL path, store it in the cookie and redirect user to the IdP. The problem is that fragment (#) part of the URL is never passed to the server and I see two way to solve this: 1. Get rid of fragment-based URLs in Kibana and switch to "normal" URLs (#6219) Pros:
Cons:
2. Introduce a client side "SAML Step 1" page that unauthenticated user will be redirected to as an initial step of the SAML handshake. At this page we'll extract URL path and fragment, URL-encode it and send as a query string parameter to a "SAML Step 2" endpoint that will store this full URL and only then redirect user to the IdP. Pros:
Cons:
Storing and retrieving URLCurrently we store URL path in the cookie so that we can easily retrieve it once user is redirected back to Kibana with SAML response. It works reasonably well since the URL path is usually short (e.g. 1. Store URL + fragment in the cookie, cross the fingers and hope for the best. We can approximately estimate the size of the encrypted cookie and fall back to the old behavior if its size is near the limit. Pros:
Cons:
2. Store URL + fragment in the Pros:
Cons:
3. Store URL + fragment in a Saved Object (short URL?) that will be deleted as soon as we get SAML response back. But for not finished login attempts (user started SAML handshake, but then changed their mind) we have to somehow automatically clean up these Saved Objects. One idea was to leverage Task Manager for that with something like Pros:
Cons:
Summary: if there is a real need to fix this issue now, I'd probably go with option 2 in Capturing URL and option 3 (or option 2 at least) in Storing and retrieving URL part with any further refinements we may need. I may be missing some other options/pros/cons/complexities, please speak up if you have any ideas! |
With regard to Capturing the URL, option 2 seems reasonable given the time-frame that it'll take for us to move away from hash based routing... With regard to Storing the URL, is there potential to capture the full URL in the browser's session storage since we'll already have a "page" to do so if we go with option 2 and then use that when the user is redirected back to Kibana? |
Well, I was considering The reasons I had in mind are:
Based on the 4.1.2.5 5.Identity Provider issues to Service Provider IdP is supposed to return In addition to that we'll need to change SAML authentication provider a bit so that it doesn't redirect to "SAML Step 3" if it's IdP initiated login, not a big deal though. |
@azasypkin thanks for the additional explanation! I'm not as concerned about someone maliciously being able to modify the session storage, because if an attacker has that level of control to your computer there's a larger issue. It'd be similar to someone changing the "next" query-string parameter in the login page. However, I'm in agreement with you on your other concerns. The following focuses solely on the "store and retrieve URL" options. Option 2 seems super easy from the Kibana side, but it feels like we're pushing the complexity to ES, so perhaps overall it isn't easier. Option 3 seems like we're almost building "stateful server sessions" in Kibana, just for a very limited use-case. I'm not entirely opposed to this, and I have a fear that at some point we're going to end up needing it, we've just gotten away with doing so thus far. |
It shouldn't be super hard for ES since
I'm with you on this. Wouldn't want to do that unless we don't have other choice. |
Are you aware of a popular IdP which doesn't support RelayState? Based on some extremely simplistic searching, It looks like Auth0, Okta, and ADFS support it. |
I'm not, @jkakavas do you know any off-hand? |
No. none that I'm aware of. I just raised it as something we should check out before deciding the approach to take. If Okta, Auth0, ADFS supports it ( and I I know Shibboleth does too ) then we got the largest part of the IDPs covered eitherway. If a custom, seldomly seen IDP doesn't support it, it would be easier to push back. It won't be hard to support the RelayState handling in the |
@tvernum brought up a good point that per SAML spec |
Original comment by @kobelb:
After logging in via SAML, @toddferg reported that one of his customers was brought to the default application within Kibana and we aren't preserving the original URL that the user tried to visit before being prompted to login.
@azasypkin is this a limitation that we're stuck with until we switch Kibana's routing to no longer be hash-based, or is there a potential solution?
The text was updated successfully, but these errors were encountered: