AWS ELK - SAML SSO 在浏览器中有效,但在 iFrame 中无效
AWS ELK - SAML SSO works in browser but not in iFrame
我正在我的应用程序中实现 SSO:
- 在Keycloak中注册为Open Id Client的react应用
- AWS ELK 在 Keycloak 中注册为 SAML 客户端。
场景:1直接在浏览器中使用Kibana
当我访问时,Kibana URL 例如这样- https://xxx-yyy.eu-central-1.es.amazonaws.com/_plugin/kibana/ 它将我重定向到 keycloak 登录页面。成功登录 keycloak 后,它会重定向到 Kibana,在那里我可以看到分配给我的用户的适当角色(基于我创建的映射)。
到目前为止一切正常!
场景:2 在外部门户中嵌入仪表板
我在 Kibana 中有一个仪表板,我已将其共享为嵌入式 iFrame。 iFrame 代码已添加到我注册为 OPEN ID Connect 客户端的门户中。
当我访问我的门户时,它成功地将我重定向到 Keycloak 的登录页面,并让我对 Keycloak 进行身份验证。当嵌入式 iFrame 获得渲染时,它显示错误 400:错误请求,无效请求 ID
以下请求在 iFrame 中执行失败:
Request URL: https://xxx-yyy.eu-central-1.es.amazonaws.com/_plugin/kibana/_opendistro/_security/saml/acs
Request Method: POST
Status Code: 400
Remote Address: 54.93.149.42:443
Referrer Policy: strict-origin-when-cross-origin
:authority: xxx-yyy.eu-central-1.es.amazonaws.com
:method: POST
:path: /_plugin/kibana/_opendistro/_security/saml/acs
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: max-age=0
content-type: application/x-www-form-urlencoded
origin: https://keycloakdomain.com
referer: https://keycloakdomain.com/
sec-fetch-dest: iframe
sec-fetch-mode: navigate
sec-fetch-site: cross-site
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36 Edg/88.0.705.56
SAMLResponse: PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIERlc3RpbmF0aW9uPSJodHRwczovL3NlYXJjaC1pc2NvLWRldmVsb3BtZW50LWt6eHBpeWpvN2ZpNWJ1ZGJvdndtb2NwZW9pLmV1LWNlbnRyYWwtMS5lcy5hbWF6b25hd3MuY29tL19wbHVnaW4va2liYW5hL19vcGVuZGlzdHJvL19zZWN1cml0eS9zYW1sL2FjcyIgSUQ9IklEXzlmYWFjYmEyLWUxNzgtNDU3MS04MTg5LTJmYTFhNjAwOWI0ZiIgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl8zY2ZlYmIwMC1mNTdhLTQ4MGItOGQyOC1jZTZkYTQ0NTlhYWUiIElzc3VlSW5zdGFudD0iMjAyMS0wMi0wNVQwODo1OTowNi4xMzRaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3Vlcj5odHRwczovL2xvZ2luLmlubm92ZW8uY29tL2F1dGgvcmVhbG1zL21hc3Rlcjwvc2FtbDpJc3N1ZXI+PGRzaWc6U2lnbmF0dXJlIHhtbG5zOmRzaWc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkc2lnOlNpZ25lZEluZm8+PGRzaWc6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkc2lnOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48ZHNpZzpSZWZlcmVuY2UgVVJJPSIjSURfOWZhYWNiYTItZTE3OC00NTcxLTgxODktMmZhMWE2MDA5YjRmIj48ZHNpZzpUcmFuc2Zvcm1zPjxkc2lnOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kc2lnOlRyYW5zZm9ybXM+PGRzaWc6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8+PGRzaWc6RGlnZXN0VmFsdWU+eDZleTZxa250aEsvRGY4Uk1PaFVBSGpZcHk1QnFuVnZUK0JwNXFZU3hZQT08L2RzaWc6RGlnZXN0VmFsdWU+PC9kc2lnOlJlZmVyZW5jZT48L2RzaWc6U2lnbmVkSW5mbz48ZHNpZzpTaWduYXR1cmVWYWx1ZT5TdU1zS21vVzNqSnJudEdZSmtrWHU2dllGRUQxYmFKUU5qZVN1dTh0ak1qeXgzSUJ0TnIwUU5aaU1OcTdJUTl4d2dVSjlFeldSQ0NtTWd3TFU1L0FsMk85RFBMYWpIcVc2Q2tPNGR2VS9YdHpWR25FcUdVbnVZN2NtUFBFQUtZUHRRODFOOGFlYmxiWFNEVHdlWVN1aXE1Z1ROcFZnbkZxRXBFTjFYSVV3Z0J6TzV6NjFhdmpsMmxjWW1HSUt1UThFMFI4TnZURENWM2cxZStFemhnQUN3cndtbmgvSUx2VWZOMDRtRTZWeTVCdk1GMVR5Ym9TZHZTbTFBUWl1bGJpblVXcVlZUWFXZmcvTkRHcHBCTzdxeGlPaXE0OHpjQVArc3RsVzRxOGhxVnR2UnArUUU5ZmJGVUJERzJBYWVQRVN2M3BQbU9YTE13bEJaYmVGSWcvNEE9PTwvZHNpZzpTaWduYXR1cmVWYWx1ZT48ZHNpZzpLZXlJbmZvPjxkc2lnOktleU5hbWU+TXZpcnZmREQwWlVCYWhvMmJ0WHBuUV9OQ0kwWFBwUmRfYWdCU2dHRHFIUTwvZHNpZzpLZXlOYW1lPjxkc2lnOlg1MDlEYXRhPjxkc2lnOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDbXpDQ0FZTUNCZ0Z5Uys2dWt6QU5CZ2txaGtpRzl3MEJBUXNGQURBUk1ROHdEUVlEVlFRRERBWnRZWE4wWlhJd0hoY05NakF3TlRJMU1UTXdNakV5V2hjTk16QXdOVEkxTVRNd016VXlXakFSTVE4d0RRWURWUVFEREFadFlYTjBaWEl3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRE0zNkNrWVdpQ0dEWmJnMW9LRE9ZNUZ0eGg4bStncmpaRHpOMTVsQ3ZkR3pxN1NFUG9EbWtqTzNMN2U5cTFjMEJRTzRCeW91M0lYMWJLUXk1cGFISE1iVXJudGI4cmxOREN4N3hOU25aeDBFNHowVDdIdWp0c1dZcUpsaFBkdnQzSmVTMFZUOTErTTFrQ0hMYUNOT01lLyt0aFZxYjA5bDdGQ2ZSSWNUOEg5ck5LRXM2TDZObHlaNHJHM3JsbzF1QWlwaExDaW5VOFVZRjd6dnJ4QkFablBMMit5d2lJNHNIRmlvNEpJUWw1Mm9yVENVNE13V3BBZzhCZ3gxc01WNG5reGNlZFpUclFZeDUyQ0QvRjBrcTdXWXRFWnhKVmFuc1gzbE9kWFR5bUJ3NHlGOEllVUR6VVBUVWhRU05sTjFzaTI2cGM2dTMramJoRnUrRGg2RHUzQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQlFyaFF6Qi9sam90T05MK2docFVmMlZnSFgvSzJNeWhsM1pSZ3N4alo5YmU2OGVxNEVWZ2g0M2Y2bHhLeWZRc0NwcEovTVV1NHRRbzV4T05Sb0FrV05zOTlsemFWSFl4anJnOSttWXZnNnhHRW0rMzJKOHQ4VWMzNTVTdTgrM2ExZ2RFSVIwQTFQTHlvSGpHVHdzV291Q1Y5OFdCOUdBdWxNdjgzUzNaWEZkWElFREpEQXJ0d2F4WldJYnhpTVhVTU55WERKbVZIZWJjYW5XVW8vVmV6TFArQ2FTK05qS3orbUdUNEgxYllNaFlyLzdob241YnNnb3M4K3FtRHAvWmx4OXhlTXlCbXZJNzBhOGJ2NjBiZ2pGeXJqNGZNWHBnUVRNUTB6K3lmYllUenFoN0k4RUFwUUJIYWR0MDBuWUFveVFTQWVBbmUwcEZmMHc0SUNiNWZ3PTwvZHNpZzpYNTA5Q2VydGlmaWNhdGU+PC9kc2lnOlg1MDlEYXRhPjxkc2lnOktleVZhbHVlPjxkc2lnOlJTQUtleVZhbHVlPjxkc2lnOk1vZHVsdXM+ek4rZ3BHRm9naGcyVzROYUNnem1PUmJjWWZKdm9LNDJROHpkZVpRcjNSczZ1MGhENkE1cEl6dHkrM3ZhdFhOQVVEdUFjcUx0eUY5V3lrTXVhV2h4ekcxSzU3Vy9LNVRRd3NlOFRVcDJjZEJPTTlFK3g3bzdiRm1LaVpZVDNiN2R5WGt0RlUvZGZqTlpBaHkyZ2pUakh2L3JZVmFtOVBaZXhRbjBTSEUvQi9helNoTE9pK2paY21lS3h0NjVhTmJnSXFZU3dvcDFQRkdCZTg3NjhRUUdaenk5dnNzSWlPTEJ4WXFPQ1NFSmVkcUswd2xPRE1GcVFJUEFZTWRiREZlSjVNWEhuV1U2MEdNZWRnZy94ZEpLdTFtTFJHY1NWV3A3Rjk1VG5WMDhwZ2NPTWhmQ0hsQTgxRDAxSVVFalpUZGJJdHVxWE9ydC9vMjRSYnZnNGVnN3R3PT08L2RzaWc6TW9kdWx1cz48ZHNpZzpFeHBvbmVudD5BUUFCPC9kc2lnOkV4cG9uZW50PjwvZHNpZzpSU0FLZXlWYWx1ZT48L2RzaWc6S2V5VmFsdWU+PC9kc2lnOktleUluZm8+PC9kc2lnOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJJRF82MDk0YTY0Yi0wYTUxLTQwNTItODA0Ny01ZTczOGU5ZjllODMiIElzc3VlSW5zdGFudD0iMjAyMS0wMi0wNVQwODo1OTowNi4xMzRaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3Vlcj5odHRwczovL2xvZ2luLmlubm92ZW8uY29tL2F1dGgvcmVhbG1zL21hc3Rlcjwvc2FtbDpJc3N1ZXI+PGRzaWc6U2lnbmF0dXJlIHhtbG5zOmRzaWc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkc2lnOlNpZ25lZEluZm8+PGRzaWc6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkc2lnOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48ZHNpZzpSZWZlcmVuY2UgVVJJPSIjSURfNjA5NGE2NGItMGE1MS00MDUyLTgwNDctNWU3MzhlOWY5ZTgzIj48ZHNpZzpUcmFuc2Zvcm1zPjxkc2lnOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kc2lnOlRyYW5zZm9ybXM+PGRzaWc6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8+PGRzaWc6RGlnZXN0VmFsdWU+R2VJZTdnRFlIakJ4UnVoT3NZbzNteW1oZUdFRDJOaFVqVDNnc2xBVEhzMD08L2RzaWc6RGlnZXN0VmFsdWU+PC9kc2lnOlJlZmVyZW5jZT48L2RzaWc6U2lnbmVkSW5mbz48ZHNpZzpTaWduYXR1cmVWYWx1ZT51aDBxbE5ObzNlb0RxazdxYU1mK05td0dtdjlhRG1FRFgyQU82RTRGOG1SRHhYcGViWVdkQys0UnFOUmtQSjE2V1NFck1qejZudXNKSHJtREtGY1JFeE9xSzBMSmRXRUJ3OC9kSGkxUlUza1JPcmtQb0NhTiswSXhNYTFodWNrSVkwWm5ZVFEzMkdMY0Y4L2JiR25OWTZ0WEs1RHRqT1VEMFdOZmhScWN2dFh3UDk4Y2hTN3dYNWlDQU9Gd2Vkb2svNEw4dDN6eHZMdUxxeTZlR3RqbkpKbEVwaWtDZkhVbDM2UmFRS2JENmxTVUxOc1RhdU54SEYwcmxhYTN0NzBhUHRXeVJtaGhMTWEyUjNVMU9NN0lSWFZYV3NZQjVlaUJ3MlZIcEFyY3BtdCswRUw0clBxMjBMdS9HemZOanlMNldLZWdscXNWNVZ5R0gxVkZCbEdaY2c9PTwvZHNpZzpTaWduYXR1cmVWYWx1ZT48ZHNpZzpLZXlJbmZvPjxkc2lnOktleU5hbWU+TXZpcnZmREQwWlVCYWhvMmJ0WHBuUV9OQ0kwWFBwUmRfYWdCU2dHRHFIUTwvZHNpZzpLZXlOYW1lPjxkc2lnOlg1MDlEYXRhPjxkc2lnOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDbXpDQ0FZTUNCZ0Z5Uys2dWt6QU5CZ2txaGtpRzl3MEJBUXNGQURBUk1ROHdEUVlEVlFRRERBWnRZWE4wWlhJd0hoY05NakF3TlRJMU1UTXdNakV5V2hjTk16QXdOVEkxTVRNd016VXlXakFSTVE4d0RRWURWUVFEREFadFlYTjBaWEl3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRE0zNkNrWVdpQ0dEWmJnMW9LRE9ZNUZ0eGg4bStncmpaRHpOMTVsQ3ZkR3pxN1NFUG9EbWtqTzNMN2U5cTFjMEJRTzRCeW91M0lYMWJLUXk1cGFISE1iVXJudGI4cmxOREN4N3hOU25aeDBFNHowVDdIdWp0c1dZcUpsaFBkdnQzSmVTMFZUOTErTTFrQ0hMYUNOT01lLyt0aFZxYjA5bDdGQ2ZSSWNUOEg5ck5LRXM2TDZObHlaNHJHM3JsbzF1QWlwaExDaW5VOFVZRjd6dnJ4QkFablBMMit5d2lJNHNIRmlvNEpJUWw1Mm9yVENVNE13V3BBZzhCZ3gxc01WNG5reGNlZFpUclFZeDUyQ0QvRjBrcTdXWXRFWnhKVmFuc1gzbE9kWFR5bUJ3NHlGOEllVUR6VVBUVWhRU05sTjFzaTI2cGM2dTMramJoRnUrRGg2RHUzQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQlFyaFF6Qi9sam90T05MK2docFVmMlZnSFgvSzJNeWhsM1pSZ3N4alo5YmU2OGVxNEVWZ2g0M2Y2bHhLeWZRc0NwcEovTVV1NHRRbzV4T05Sb0FrV05zOTlsemFWSFl4anJnOSttWXZnNnhHRW0rMzJKOHQ4VWMzNTVTdTgrM2ExZ2RFSVIwQTFQTHlvSGpHVHdzV291Q1Y5OFdCOUdBdWxNdjgzUzNaWEZkWElFREpEQXJ0d2F4WldJYnhpTVhVTU55WERKbVZIZWJjYW5XVW8vVmV6TFArQ2FTK05qS3orbUdUNEgxYllNaFlyLzdob241YnNnb3M4K3FtRHAvWmx4OXhlTXlCbXZJNzBhOGJ2NjBiZ2pGeXJqNGZNWHBnUVRNUTB6K3lmYllUenFoN0k4RUFwUUJIYWR0MDBuWUFveVFTQWVBbmUwcEZmMHc0SUNiNWZ3PTwvZHNpZzpYNTA5Q2VydGlmaWNhdGU+PC9kc2lnOlg1MDlEYXRhPjxkc2lnOktleVZhbHVlPjxkc2lnOlJTQUtleVZhbHVlPjxkc2lnOk1vZHVsdXM+ek4rZ3BHRm9naGcyVzROYUNnem1PUmJjWWZKdm9LNDJROHpkZVpRcjNSczZ1MGhENkE1cEl6dHkrM3ZhdFhOQVVEdUFjcUx0eUY5V3lrTXVhV2h4ekcxSzU3Vy9LNVRRd3NlOFRVcDJjZEJPTTlFK3g3bzdiRm1LaVpZVDNiN2R5WGt0RlUvZGZqTlpBaHkyZ2pUakh2L3JZVmFtOVBaZXhRbjBTSEUvQi9helNoTE9pK2paY21lS3h0NjVhTmJnSXFZU3dvcDFQRkdCZTg3NjhRUUdaenk5dnNzSWlPTEJ4WXFPQ1NFSmVkcUswd2xPRE1GcVFJUEFZTWRiREZlSjVNWEhuV1U2MEdNZWRnZy94ZEpLdTFtTFJHY1NWV3A3Rjk1VG5WMDhwZ2NPTWhmQ0hsQTgxRDAxSVVFalpUZGJJdHVxWE9ydC9vMjRSYnZnNGVnN3R3PT08L2RzaWc6TW9kdWx1cz48ZHNpZzpFeHBvbmVudD5BUUFCPC9kc2lnOkV4cG9uZW50PjwvZHNpZzpSU0FLZXlWYWx1ZT48L2RzaWc6S2V5VmFsdWU+PC9kc2lnOktleUluZm8+PC9kc2lnOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj5hbmphbGkubWFpdGhhbmk8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzNjZmViYjAwLWY1N2EtNDgwYi04ZDI4LWNlNmRhNDQ1OWFhZSIgTm90T25PckFmdGVyPSIyMDIxLTAyLTA1VDA5OjI5OjA0LjEzNFoiIFJlY2lwaWVudD0iaHR0cHM6Ly9zZWFyY2gtaXNjby1kZXZlbG9wbWVudC1renhwaXlqbzdmaTVidWRib3Z3bW9jcGVvaS5ldS1jZW50cmFsLTEuZXMuYW1hem9uYXdzLmNvbS9fcGx1Z2luL2tpYmFuYS9fb3BlbmRpc3Ryby9fc2VjdXJpdHkvc2FtbC9hY3MiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAyMS0wMi0wNVQwODo1OTowNC4xMzRaIiBOb3RPbk9yQWZ0ZXI9IjIwMjEtMDItMDVUMDk6Mjk6MDQuMTM0WiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovL3NlYXJjaC1pc2NvLWRldmVsb3BtZW50LWt6eHBpeWpvN2ZpNWJ1ZGJvdndtb2NwZW9pLmV1LWNlbnRyYWwtMS5lcy5hbWF6b25hd3MuY29tPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAyMS0wMi0wNVQwODo1OTowNi4xMzRaIiBTZXNzaW9uSW5kZXg9ImRiZWVlMDFmLTdkYWItNDFiYy1iMzIzLWFjOWFmOWFhNzQyMjo6MGFkY2IwZjUtMjA5MS00NmVhLTkzMTMtMDY1YTBiODY5MTY1IiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDIxLTAyLTA1VDE4OjU5OjA2LjEzNFoiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3Nlczp1bnNwZWNpZmllZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9IktpYmFuYUJhY2tlbmRSb2xlcyIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj4va2V5Y2xvYWstaXNjby1hZG1pbjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==
我已经验证了上面的 SAML 响应,我可以看到响应是正确的。
这是上述请求的 SAML AuthNRequest:
<?xml version="1.0"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_3cfebb00-f57a-480b-8d28-ce6da4459aae" Version="2.0" IssueInstant="2021-02-05T08:59:05Z" Destination="https://login.innoveo.com/auth/realms/master/protocol/saml" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://search-isco-development-kzxpiyjo7fi5budbovwmocpeoi.eu-central-1.es.amazonaws.com/_plugin/kibana/_opendistro/_security/saml/acs">
<saml:Issuer>
https://search-isco-development-kzxpiyjo7fi5budbovwmocpeoi.eu-central-1.es.amazonaws.com
</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/>
</samlp:AuthnRequest>
问题不在于 ELK 或 SAML 的工作方式,我们发现问题在于称为“SameSiteCookie”的新浏览器安全属性。
默认情况下,现代浏览器不允许跨域共享 cookie,这就是问题所在。
当我在浏览器中手动更改此设置时,一切开始正常工作。
对于 Elastic 版本的 ELK - 有一个名为 - xpack.security.sameSiteCookies 的设置
对于 ELK 的 Open Distro 版本 - 有一个名为 - opendistro_security.cookie.sameSite
的设置
如果您使用的是 AWS ElasticSearch 服务,则无法设置 opendistro_security.cookie.sameSite 这是一个限制,迫使我们移出 AWS ElasticSearch。
我正在我的应用程序中实现 SSO:
- 在Keycloak中注册为Open Id Client的react应用
- AWS ELK 在 Keycloak 中注册为 SAML 客户端。
场景:1直接在浏览器中使用Kibana
当我访问时,Kibana URL 例如这样- https://xxx-yyy.eu-central-1.es.amazonaws.com/_plugin/kibana/ 它将我重定向到 keycloak 登录页面。成功登录 keycloak 后,它会重定向到 Kibana,在那里我可以看到分配给我的用户的适当角色(基于我创建的映射)。
到目前为止一切正常!
场景:2 在外部门户中嵌入仪表板
我在 Kibana 中有一个仪表板,我已将其共享为嵌入式 iFrame。 iFrame 代码已添加到我注册为 OPEN ID Connect 客户端的门户中。
当我访问我的门户时,它成功地将我重定向到 Keycloak 的登录页面,并让我对 Keycloak 进行身份验证。当嵌入式 iFrame 获得渲染时,它显示错误 400:错误请求,无效请求 ID
以下请求在 iFrame 中执行失败:
Request URL: https://xxx-yyy.eu-central-1.es.amazonaws.com/_plugin/kibana/_opendistro/_security/saml/acs
Request Method: POST
Status Code: 400
Remote Address: 54.93.149.42:443
Referrer Policy: strict-origin-when-cross-origin
:authority: xxx-yyy.eu-central-1.es.amazonaws.com
:method: POST
:path: /_plugin/kibana/_opendistro/_security/saml/acs
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: max-age=0
content-type: application/x-www-form-urlencoded
origin: https://keycloakdomain.com
referer: https://keycloakdomain.com/
sec-fetch-dest: iframe
sec-fetch-mode: navigate
sec-fetch-site: cross-site
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36 Edg/88.0.705.56
SAMLResponse: PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIERlc3RpbmF0aW9uPSJodHRwczovL3NlYXJjaC1pc2NvLWRldmVsb3BtZW50LWt6eHBpeWpvN2ZpNWJ1ZGJvdndtb2NwZW9pLmV1LWNlbnRyYWwtMS5lcy5hbWF6b25hd3MuY29tL19wbHVnaW4va2liYW5hL19vcGVuZGlzdHJvL19zZWN1cml0eS9zYW1sL2FjcyIgSUQ9IklEXzlmYWFjYmEyLWUxNzgtNDU3MS04MTg5LTJmYTFhNjAwOWI0ZiIgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl8zY2ZlYmIwMC1mNTdhLTQ4MGItOGQyOC1jZTZkYTQ0NTlhYWUiIElzc3VlSW5zdGFudD0iMjAyMS0wMi0wNVQwODo1OTowNi4xMzRaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3Vlcj5odHRwczovL2xvZ2luLmlubm92ZW8uY29tL2F1dGgvcmVhbG1zL21hc3Rlcjwvc2FtbDpJc3N1ZXI+PGRzaWc6U2lnbmF0dXJlIHhtbG5zOmRzaWc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkc2lnOlNpZ25lZEluZm8+PGRzaWc6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkc2lnOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48ZHNpZzpSZWZlcmVuY2UgVVJJPSIjSURfOWZhYWNiYTItZTE3OC00NTcxLTgxODktMmZhMWE2MDA5YjRmIj48ZHNpZzpUcmFuc2Zvcm1zPjxkc2lnOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kc2lnOlRyYW5zZm9ybXM+PGRzaWc6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8+PGRzaWc6RGlnZXN0VmFsdWU+eDZleTZxa250aEsvRGY4Uk1PaFVBSGpZcHk1QnFuVnZUK0JwNXFZU3hZQT08L2RzaWc6RGlnZXN0VmFsdWU+PC9kc2lnOlJlZmVyZW5jZT48L2RzaWc6U2lnbmVkSW5mbz48ZHNpZzpTaWduYXR1cmVWYWx1ZT5TdU1zS21vVzNqSnJudEdZSmtrWHU2dllGRUQxYmFKUU5qZVN1dTh0ak1qeXgzSUJ0TnIwUU5aaU1OcTdJUTl4d2dVSjlFeldSQ0NtTWd3TFU1L0FsMk85RFBMYWpIcVc2Q2tPNGR2VS9YdHpWR25FcUdVbnVZN2NtUFBFQUtZUHRRODFOOGFlYmxiWFNEVHdlWVN1aXE1Z1ROcFZnbkZxRXBFTjFYSVV3Z0J6TzV6NjFhdmpsMmxjWW1HSUt1UThFMFI4TnZURENWM2cxZStFemhnQUN3cndtbmgvSUx2VWZOMDRtRTZWeTVCdk1GMVR5Ym9TZHZTbTFBUWl1bGJpblVXcVlZUWFXZmcvTkRHcHBCTzdxeGlPaXE0OHpjQVArc3RsVzRxOGhxVnR2UnArUUU5ZmJGVUJERzJBYWVQRVN2M3BQbU9YTE13bEJaYmVGSWcvNEE9PTwvZHNpZzpTaWduYXR1cmVWYWx1ZT48ZHNpZzpLZXlJbmZvPjxkc2lnOktleU5hbWU+TXZpcnZmREQwWlVCYWhvMmJ0WHBuUV9OQ0kwWFBwUmRfYWdCU2dHRHFIUTwvZHNpZzpLZXlOYW1lPjxkc2lnOlg1MDlEYXRhPjxkc2lnOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDbXpDQ0FZTUNCZ0Z5Uys2dWt6QU5CZ2txaGtpRzl3MEJBUXNGQURBUk1ROHdEUVlEVlFRRERBWnRZWE4wWlhJd0hoY05NakF3TlRJMU1UTXdNakV5V2hjTk16QXdOVEkxTVRNd016VXlXakFSTVE4d0RRWURWUVFEREFadFlYTjBaWEl3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRE0zNkNrWVdpQ0dEWmJnMW9LRE9ZNUZ0eGg4bStncmpaRHpOMTVsQ3ZkR3pxN1NFUG9EbWtqTzNMN2U5cTFjMEJRTzRCeW91M0lYMWJLUXk1cGFISE1iVXJudGI4cmxOREN4N3hOU25aeDBFNHowVDdIdWp0c1dZcUpsaFBkdnQzSmVTMFZUOTErTTFrQ0hMYUNOT01lLyt0aFZxYjA5bDdGQ2ZSSWNUOEg5ck5LRXM2TDZObHlaNHJHM3JsbzF1QWlwaExDaW5VOFVZRjd6dnJ4QkFablBMMit5d2lJNHNIRmlvNEpJUWw1Mm9yVENVNE13V3BBZzhCZ3gxc01WNG5reGNlZFpUclFZeDUyQ0QvRjBrcTdXWXRFWnhKVmFuc1gzbE9kWFR5bUJ3NHlGOEllVUR6VVBUVWhRU05sTjFzaTI2cGM2dTMramJoRnUrRGg2RHUzQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQlFyaFF6Qi9sam90T05MK2docFVmMlZnSFgvSzJNeWhsM1pSZ3N4alo5YmU2OGVxNEVWZ2g0M2Y2bHhLeWZRc0NwcEovTVV1NHRRbzV4T05Sb0FrV05zOTlsemFWSFl4anJnOSttWXZnNnhHRW0rMzJKOHQ4VWMzNTVTdTgrM2ExZ2RFSVIwQTFQTHlvSGpHVHdzV291Q1Y5OFdCOUdBdWxNdjgzUzNaWEZkWElFREpEQXJ0d2F4WldJYnhpTVhVTU55WERKbVZIZWJjYW5XVW8vVmV6TFArQ2FTK05qS3orbUdUNEgxYllNaFlyLzdob241YnNnb3M4K3FtRHAvWmx4OXhlTXlCbXZJNzBhOGJ2NjBiZ2pGeXJqNGZNWHBnUVRNUTB6K3lmYllUenFoN0k4RUFwUUJIYWR0MDBuWUFveVFTQWVBbmUwcEZmMHc0SUNiNWZ3PTwvZHNpZzpYNTA5Q2VydGlmaWNhdGU+PC9kc2lnOlg1MDlEYXRhPjxkc2lnOktleVZhbHVlPjxkc2lnOlJTQUtleVZhbHVlPjxkc2lnOk1vZHVsdXM+ek4rZ3BHRm9naGcyVzROYUNnem1PUmJjWWZKdm9LNDJROHpkZVpRcjNSczZ1MGhENkE1cEl6dHkrM3ZhdFhOQVVEdUFjcUx0eUY5V3lrTXVhV2h4ekcxSzU3Vy9LNVRRd3NlOFRVcDJjZEJPTTlFK3g3bzdiRm1LaVpZVDNiN2R5WGt0RlUvZGZqTlpBaHkyZ2pUakh2L3JZVmFtOVBaZXhRbjBTSEUvQi9helNoTE9pK2paY21lS3h0NjVhTmJnSXFZU3dvcDFQRkdCZTg3NjhRUUdaenk5dnNzSWlPTEJ4WXFPQ1NFSmVkcUswd2xPRE1GcVFJUEFZTWRiREZlSjVNWEhuV1U2MEdNZWRnZy94ZEpLdTFtTFJHY1NWV3A3Rjk1VG5WMDhwZ2NPTWhmQ0hsQTgxRDAxSVVFalpUZGJJdHVxWE9ydC9vMjRSYnZnNGVnN3R3PT08L2RzaWc6TW9kdWx1cz48ZHNpZzpFeHBvbmVudD5BUUFCPC9kc2lnOkV4cG9uZW50PjwvZHNpZzpSU0FLZXlWYWx1ZT48L2RzaWc6S2V5VmFsdWU+PC9kc2lnOktleUluZm8+PC9kc2lnOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJJRF82MDk0YTY0Yi0wYTUxLTQwNTItODA0Ny01ZTczOGU5ZjllODMiIElzc3VlSW5zdGFudD0iMjAyMS0wMi0wNVQwODo1OTowNi4xMzRaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3Vlcj5odHRwczovL2xvZ2luLmlubm92ZW8uY29tL2F1dGgvcmVhbG1zL21hc3Rlcjwvc2FtbDpJc3N1ZXI+PGRzaWc6U2lnbmF0dXJlIHhtbG5zOmRzaWc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkc2lnOlNpZ25lZEluZm8+PGRzaWc6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkc2lnOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48ZHNpZzpSZWZlcmVuY2UgVVJJPSIjSURfNjA5NGE2NGItMGE1MS00MDUyLTgwNDctNWU3MzhlOWY5ZTgzIj48ZHNpZzpUcmFuc2Zvcm1zPjxkc2lnOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kc2lnOlRyYW5zZm9ybXM+PGRzaWc6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8+PGRzaWc6RGlnZXN0VmFsdWU+R2VJZTdnRFlIakJ4UnVoT3NZbzNteW1oZUdFRDJOaFVqVDNnc2xBVEhzMD08L2RzaWc6RGlnZXN0VmFsdWU+PC9kc2lnOlJlZmVyZW5jZT48L2RzaWc6U2lnbmVkSW5mbz48ZHNpZzpTaWduYXR1cmVWYWx1ZT51aDBxbE5ObzNlb0RxazdxYU1mK05td0dtdjlhRG1FRFgyQU82RTRGOG1SRHhYcGViWVdkQys0UnFOUmtQSjE2V1NFck1qejZudXNKSHJtREtGY1JFeE9xSzBMSmRXRUJ3OC9kSGkxUlUza1JPcmtQb0NhTiswSXhNYTFodWNrSVkwWm5ZVFEzMkdMY0Y4L2JiR25OWTZ0WEs1RHRqT1VEMFdOZmhScWN2dFh3UDk4Y2hTN3dYNWlDQU9Gd2Vkb2svNEw4dDN6eHZMdUxxeTZlR3RqbkpKbEVwaWtDZkhVbDM2UmFRS2JENmxTVUxOc1RhdU54SEYwcmxhYTN0NzBhUHRXeVJtaGhMTWEyUjNVMU9NN0lSWFZYV3NZQjVlaUJ3MlZIcEFyY3BtdCswRUw0clBxMjBMdS9HemZOanlMNldLZWdscXNWNVZ5R0gxVkZCbEdaY2c9PTwvZHNpZzpTaWduYXR1cmVWYWx1ZT48ZHNpZzpLZXlJbmZvPjxkc2lnOktleU5hbWU+TXZpcnZmREQwWlVCYWhvMmJ0WHBuUV9OQ0kwWFBwUmRfYWdCU2dHRHFIUTwvZHNpZzpLZXlOYW1lPjxkc2lnOlg1MDlEYXRhPjxkc2lnOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDbXpDQ0FZTUNCZ0Z5Uys2dWt6QU5CZ2txaGtpRzl3MEJBUXNGQURBUk1ROHdEUVlEVlFRRERBWnRZWE4wWlhJd0hoY05NakF3TlRJMU1UTXdNakV5V2hjTk16QXdOVEkxTVRNd016VXlXakFSTVE4d0RRWURWUVFEREFadFlYTjBaWEl3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRE0zNkNrWVdpQ0dEWmJnMW9LRE9ZNUZ0eGg4bStncmpaRHpOMTVsQ3ZkR3pxN1NFUG9EbWtqTzNMN2U5cTFjMEJRTzRCeW91M0lYMWJLUXk1cGFISE1iVXJudGI4cmxOREN4N3hOU25aeDBFNHowVDdIdWp0c1dZcUpsaFBkdnQzSmVTMFZUOTErTTFrQ0hMYUNOT01lLyt0aFZxYjA5bDdGQ2ZSSWNUOEg5ck5LRXM2TDZObHlaNHJHM3JsbzF1QWlwaExDaW5VOFVZRjd6dnJ4QkFablBMMit5d2lJNHNIRmlvNEpJUWw1Mm9yVENVNE13V3BBZzhCZ3gxc01WNG5reGNlZFpUclFZeDUyQ0QvRjBrcTdXWXRFWnhKVmFuc1gzbE9kWFR5bUJ3NHlGOEllVUR6VVBUVWhRU05sTjFzaTI2cGM2dTMramJoRnUrRGg2RHUzQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQlFyaFF6Qi9sam90T05MK2docFVmMlZnSFgvSzJNeWhsM1pSZ3N4alo5YmU2OGVxNEVWZ2g0M2Y2bHhLeWZRc0NwcEovTVV1NHRRbzV4T05Sb0FrV05zOTlsemFWSFl4anJnOSttWXZnNnhHRW0rMzJKOHQ4VWMzNTVTdTgrM2ExZ2RFSVIwQTFQTHlvSGpHVHdzV291Q1Y5OFdCOUdBdWxNdjgzUzNaWEZkWElFREpEQXJ0d2F4WldJYnhpTVhVTU55WERKbVZIZWJjYW5XVW8vVmV6TFArQ2FTK05qS3orbUdUNEgxYllNaFlyLzdob241YnNnb3M4K3FtRHAvWmx4OXhlTXlCbXZJNzBhOGJ2NjBiZ2pGeXJqNGZNWHBnUVRNUTB6K3lmYllUenFoN0k4RUFwUUJIYWR0MDBuWUFveVFTQWVBbmUwcEZmMHc0SUNiNWZ3PTwvZHNpZzpYNTA5Q2VydGlmaWNhdGU+PC9kc2lnOlg1MDlEYXRhPjxkc2lnOktleVZhbHVlPjxkc2lnOlJTQUtleVZhbHVlPjxkc2lnOk1vZHVsdXM+ek4rZ3BHRm9naGcyVzROYUNnem1PUmJjWWZKdm9LNDJROHpkZVpRcjNSczZ1MGhENkE1cEl6dHkrM3ZhdFhOQVVEdUFjcUx0eUY5V3lrTXVhV2h4ekcxSzU3Vy9LNVRRd3NlOFRVcDJjZEJPTTlFK3g3bzdiRm1LaVpZVDNiN2R5WGt0RlUvZGZqTlpBaHkyZ2pUakh2L3JZVmFtOVBaZXhRbjBTSEUvQi9helNoTE9pK2paY21lS3h0NjVhTmJnSXFZU3dvcDFQRkdCZTg3NjhRUUdaenk5dnNzSWlPTEJ4WXFPQ1NFSmVkcUswd2xPRE1GcVFJUEFZTWRiREZlSjVNWEhuV1U2MEdNZWRnZy94ZEpLdTFtTFJHY1NWV3A3Rjk1VG5WMDhwZ2NPTWhmQ0hsQTgxRDAxSVVFalpUZGJJdHVxWE9ydC9vMjRSYnZnNGVnN3R3PT08L2RzaWc6TW9kdWx1cz48ZHNpZzpFeHBvbmVudD5BUUFCPC9kc2lnOkV4cG9uZW50PjwvZHNpZzpSU0FLZXlWYWx1ZT48L2RzaWc6S2V5VmFsdWU+PC9kc2lnOktleUluZm8+PC9kc2lnOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj5hbmphbGkubWFpdGhhbmk8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzNjZmViYjAwLWY1N2EtNDgwYi04ZDI4LWNlNmRhNDQ1OWFhZSIgTm90T25PckFmdGVyPSIyMDIxLTAyLTA1VDA5OjI5OjA0LjEzNFoiIFJlY2lwaWVudD0iaHR0cHM6Ly9zZWFyY2gtaXNjby1kZXZlbG9wbWVudC1renhwaXlqbzdmaTVidWRib3Z3bW9jcGVvaS5ldS1jZW50cmFsLTEuZXMuYW1hem9uYXdzLmNvbS9fcGx1Z2luL2tpYmFuYS9fb3BlbmRpc3Ryby9fc2VjdXJpdHkvc2FtbC9hY3MiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAyMS0wMi0wNVQwODo1OTowNC4xMzRaIiBOb3RPbk9yQWZ0ZXI9IjIwMjEtMDItMDVUMDk6Mjk6MDQuMTM0WiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovL3NlYXJjaC1pc2NvLWRldmVsb3BtZW50LWt6eHBpeWpvN2ZpNWJ1ZGJvdndtb2NwZW9pLmV1LWNlbnRyYWwtMS5lcy5hbWF6b25hd3MuY29tPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAyMS0wMi0wNVQwODo1OTowNi4xMzRaIiBTZXNzaW9uSW5kZXg9ImRiZWVlMDFmLTdkYWItNDFiYy1iMzIzLWFjOWFmOWFhNzQyMjo6MGFkY2IwZjUtMjA5MS00NmVhLTkzMTMtMDY1YTBiODY5MTY1IiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDIxLTAyLTA1VDE4OjU5OjA2LjEzNFoiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3Nlczp1bnNwZWNpZmllZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9IktpYmFuYUJhY2tlbmRSb2xlcyIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj4va2V5Y2xvYWstaXNjby1hZG1pbjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==
我已经验证了上面的 SAML 响应,我可以看到响应是正确的。
这是上述请求的 SAML AuthNRequest:
<?xml version="1.0"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_3cfebb00-f57a-480b-8d28-ce6da4459aae" Version="2.0" IssueInstant="2021-02-05T08:59:05Z" Destination="https://login.innoveo.com/auth/realms/master/protocol/saml" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://search-isco-development-kzxpiyjo7fi5budbovwmocpeoi.eu-central-1.es.amazonaws.com/_plugin/kibana/_opendistro/_security/saml/acs">
<saml:Issuer>
https://search-isco-development-kzxpiyjo7fi5budbovwmocpeoi.eu-central-1.es.amazonaws.com
</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/>
</samlp:AuthnRequest>
问题不在于 ELK 或 SAML 的工作方式,我们发现问题在于称为“SameSiteCookie”的新浏览器安全属性。
默认情况下,现代浏览器不允许跨域共享 cookie,这就是问题所在。
当我在浏览器中手动更改此设置时,一切开始正常工作。
对于 Elastic 版本的 ELK - 有一个名为 - xpack.security.sameSiteCookies 的设置
对于 ELK 的 Open Distro 版本 - 有一个名为 - opendistro_security.cookie.sameSite
如果您使用的是 AWS ElasticSearch 服务,则无法设置 opendistro_security.cookie.sameSite 这是一个限制,迫使我们移出 AWS ElasticSearch。