Skip to content

Commit

Permalink
Fixes list continuation issues (#293)
Browse files Browse the repository at this point in the history
  • Loading branch information
lcawl committed Apr 12, 2019
1 parent 8c75286 commit 4a74cbc
Showing 1 changed file with 7 additions and 9 deletions.
16 changes: 7 additions & 9 deletions docs/en/stack/security/troubleshooting.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -444,52 +444,50 @@ Assertion Consumer Service URL of the SAML Service Provider is.
.. {kib} constructs this value using the `server.host` and `server.port` in
`kibana.yml`. For instance:
+
--
[source, shell]
-----------------------------------------------
server.host: kibanaserver.org
server.port: 3456
-----------------------------------------------

+
These settings would mean that {kib} would construct the Assertion Consumer
Service URL as `https://kibanaserver.org:3456/api/secuirity/v1/saml`. However,
if for example, {kib} is behind a reverse proxy and you have configured the
following `xpack.security.public.*` settings:

+
[source, shell]
-----------------------------------------------
xpack.security.public:
protocol: https
hostname: kibana.proxy.com
port: 8080
-----------------------------------------------

+
These settings would instruct {kib} to construct the Assertion Consumer Service
URL as `https://kibana.proxy.com:8080/api/secuirity/v1/saml`
--

.. The SAML Identity Provider is either explicitly configured by the IdP
administrator or consumes the SAML metadata that are generated by {es} and as
such contain the same value for the Assertion Consumer Service URL as the one
that is configured in the the `sp.acs` setting in the {es} SAML realm
configuration.

--
+
The error encountered here indicates that the Assertion Consumer Service URL
that {kib} has constructed via one of the aforementioned ways
(`https://my.kibana.url/api/security/v1/saml`) is not the one that {es} is
configured with. Note that these two URLs are compared as case-sensitive strings
and not as canonicalized URLs.

+
Often, this can be resolved by changing the `sp.acs` URL in `elasticearch.yml`
to match the value that {kib} has constructed. Note however, that the SAML IdP
configuration needs to also be adjusted to reflect this change.

+
Alternatively, if you think {kib} is using the wrong value for the Assertion
Consumer Service URL, you will need to change the configuration in `kibana.yml`
by adjusting either the `server.host` and `server.port` to change the URL {kib}
listens to or the `xpack.security.public.*` settings to make {kib} aware about
its correct public URL.
--

. *Symptoms:*
+
Expand Down

0 comments on commit 4a74cbc

Please sign in to comment.