diff --git a/docs/en/stack/security/troubleshooting.asciidoc b/docs/en/stack/security/troubleshooting.asciidoc index 53d0bd5c4..c7472fb23 100644 --- a/docs/en/stack/security/troubleshooting.asciidoc +++ b/docs/en/stack/security/troubleshooting.asciidoc @@ -443,18 +443,17 @@ Assertion Consumer Service URL of the SAML Service Provider is. .. {kib} constructs this value using the `server.host` and `server.port` in `kibana.yml`. For instance: + --- [source, shell] ----------------------------------------------- server.host: kibanaserver.org server.port: 3456 ----------------------------------------------- - ++ These settings would mean that {kib} would construct the Assertion Consumer Service URL as `https://kibanaserver.org:3456/api/secuirity/v1/saml`. However, if for example, {kib} is behind a reverse proxy and you have configured the following `xpack.security.public.*` settings: - ++ [source, shell] ----------------------------------------------- xpack.security.public: @@ -462,33 +461,32 @@ xpack.security.public: hostname: kibana.proxy.com port: 8080 ----------------------------------------------- - ++ These settings would instruct {kib} to construct the Assertion Consumer Service URL as `https://kibana.proxy.com:8080/api/secuirity/v1/saml` --- .. The SAML Identity Provider is either explicitly configured by the IdP administrator or consumes the SAML metadata that are generated by {es} and as such contain the same value for the Assertion Consumer Service URL as the one that is configured in the the `sp.acs` setting in the {es} SAML realm configuration. - +-- ++ The error encountered here indicates that the Assertion Consumer Service URL that {kib} has constructed via one of the aforementioned ways (`https://my.kibana.url/api/security/v1/saml`) is not the one that {es} is configured with. Note that these two URLs are compared as case-sensitive strings and not as canonicalized URLs. - ++ Often, this can be resolved by changing the `sp.acs` URL in `elasticearch.yml` to match the value that {kib} has constructed. Note however, that the SAML IdP configuration needs to also be adjusted to reflect this change. - ++ Alternatively, if you think {kib} is using the wrong value for the Assertion Consumer Service URL, you will need to change the configuration in `kibana.yml` by adjusting either the `server.host` and `server.port` to change the URL {kib} listens to or the `xpack.security.public.*` settings to make {kib} aware about its correct public URL. --- . *Symptoms:* +