-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Breaking change] Drop /api/security/v1/saml
route in favour of /api/security/saml/callback
#81733
Comments
Pinging @elastic/es-ui (Team:Elasticsearch UI) |
Hi @azasypkin! Can you clarify your comments under |
Hey @alisonelizabeth! Yep, with one caveat though: having old route in the |
I'm going to remove the |
/api/security/saml/callback is the correct URL, while /api/security/v1/saml is the deprecated URL. See also: elastic/kibana#81733 Fixes: #99986 --------- Co-authored-by: Craig Rodrigues <rodrigc@crodrigues.org> Signed-off-by: Athena Brown <athena.brown@elastic.co>
/api/security/saml/callback is the correct URL, while /api/security/v1/saml is the deprecated URL. See also: elastic/kibana#81733 Fixes: #99985 --------- Co-authored-by: Craig Rodrigues <rodrigc@crodrigues.org> Signed-off-by: Athena Brown <athena.brown@elastic.co>
Change description
Which release will ship the breaking change?
8.0(Edit Joe 9/1/21: this is deprecated but we are not sure when we will get rid of it)Describe the change. How will it manifest to users?
The
/api/security/v1/saml
route is no longer available,/api/security/saml/callback
route must be used instead. This change should be reflected in Elasticsearch and Identity Provider SAML settings.This change is external to Kibana and Kibana cannot know for sure if user needs to do anything. Kibana can only check if SAML is enabled in Kibana, but Elasticsearch can figure that out if it checks
xpack.security.authc.realms.saml.{realm name}.sp.acs
setting. Also some users may still use old route inserver.xsrf.whitelist
, we no longer need this setting, but if we notice that they still use it with the old route there will be a high chance they need to change their Elasticsearch and IdP configuration as well.If users don't switch their configuration to
/api/security/saml/callback
they won't be able to log in with SAML (usually after login at the IdP users see just 404 generic error message).How many users will be affected?
Everyone who uses SAML and still relies on the old route. I've seen a lot of such deployments in Cloud.
What can users do to address the change manually?
I'd suggest going through SAML Guide once again and pick up all the new changes we introduced for the past number of releases, including this one.
How could we make migration easier with the Upgrade Assistant?
If we can base our check on the current ES configuration (
xpack.security.authc.realms.saml.{realm name}.sp.acs
) then we can pretty accurately say what needs to be changed on the ES side, and we should also ask users to double check if their IdP is configured to use the new route as well pointing them to the SAML Guide mentioned above.Test Data
You can use Oktanaut to generate various SAML configurations for various versions and deployments (e.g. local or ESS). If you pick
7.8+
the config will use the new route, earlier versions will still rely on the old route.Cross links
/cc @elastic/kibana-security
The text was updated successfully, but these errors were encountered: