Cannot open default log in page if SAML authentication is enabled

[yuri-tceretian]

Kibana version: 6.4.2

Elasticsearch version: 6.4.2

Server OS version: Ubuntu 14.04 (Cloud)

Browser version: Chrome 70.0.3538.77, Safari 12.0 (14606.1.36.1.9), Opera 55.0.2994.61

Browser OS version: macOs Mojave 10.14

Original install method (e.g. download page, yum, from source, etc.): Cloud

Describe the bug:
Kibana is configured to support both authentication methods: SAML and basic

 "xpack.security.authProviders": [
         "saml",
         "basic"
       ],

always redirects to SAML IDP even if a user explicitly goes to /login page.

Steps to reproduce:

1. go to /login. It displays log in page.
2. go to /. It redirects to SAML IDP
3. go to /login. It redirects to SAML IDP

Expected behavior:
The /login should always display login page.

Any additional context:
It looks like the browser caches login request which redirects to IDP and then just reuse it.

[elasticmachine]

Pinging @elastic/kibana-security

[azasypkin]

Just to give more context on what's going on here:

1. Unauthenticated user goes to Kibana
2. We start SAML handshake, store SAML request ID in the cookie and redirect user to the IdP
3. When user logs in at the IdP login page and is redirected back to Kibana we extract request id from the cookie and send to the Elasticsearch together with SAML response so that it can be sure that SAML response corresponds to the SAML request. At this stage we override that intermediate cookie with the one that contains user authentication information.

Whenever user tries to access /login page and they already have cookie from the step 2 or step 3, Kibana assumes user is authenticated and immediately redirects user back to the default route.

The only workaround for that right now is to get rid of this cookie either by logging out or opening Kibana in a private tab.

To fix this we should stop relying on the presence of the cookie only and rather check if we can get current user using it (e.g. via calling authenticate or something like this).

[MrBones757]

Hello,
In my organisation, we have encountered this issue when attempting to configure SAML auth in Elastic Cloud SAAS.

Is there any ETA on a fix for this, as having an alternate auth mechanism to Azure is a requirement in our environment for support / operations reasons.

[azasypkin]

Is there any ETA on a fix for this, as having an alternate auth mechanism to Azure is a requirement in our environment for support / operations reasons.

@MrBones757 No ETA yet, but it's on my short list. Don't workarounds mentioned above work for you or it's just that it's cumbersome (either private tab, or go to /logout manually or clear cookies via browser tools)?

[MrBones757]

We're rolling this tool out more broadly across the organisation to both technical and non technical users - so a workaround in this case is fine for the more technical team/s but may not be in the other case.

As far as the workaround goes though - I can't seem to be presented with the kibana basic auth login when SAML is enabled - regardless fo which URL i go to (/login, /logout etc) it always reditects to SSO. is there a particular URL that should be used for basic auth?

[azasypkin]

We're rolling this tool out more broadly across the organisation to both technical and non technical users - so a workaround in this case is fine for the more technical team/s but may not be in the other case.

I see. SAML/OIDC/Kerberos (any SSO basically) support in Kibana is designed to be the primary/sole authentication method for users of that Kibana instance. And we assumed that in SSO case alternative basic auth would mostly be used by admins and more technical people in general and hence they will be fine using /login URL directly and SSO users won't get to this page accidentally. This implementation leaves a lot of room for improvement though we'll handle that in #39313.

As far as the workaround goes though - I can't seem to be presented with the kibana basic auth login when SAML is enabled - regardless fo which URL i go to (/login, /logout etc) it always reditects to SSO. is there a particular URL that should be used for basic auth?

I explained what happens in your case here #25257 (comment): if you have xpack.security.authc.providers: [saml, basic] (order is important) in your kibana.yml and you started SAML handshake (used default / route to open Kibana) you won't be able open basic auth login page (/login) anymore, to workaround your steps should be:

1. Logout (assuming you logged via SAML already and your IdP doesn't redirect you back to Kibana root after Single Logout)
   or
   Clear Kibana cookies via browser dev tools
   or
   Open new browser private tab (note that session may be shared across all open private tabs, e.g. in Firefox)
2. Navigate to /login route directly without hitting KIbana root (/).

[azasypkin]

Fixed in #53010 and will be available since 7.7.0.