How to setup right Auth for Elastic Stack with OKTA?

samuelarogbonlo · May 23, 2022, 5:30pm

I am trying to set up authentication with Okta for an internal elastic stack on google cloud. After all, configurations have been completed to the best of my knowledge - at this moment, every time I hit the elastic stack URL, it redirects to the OKTA login dashboard then I put in my credentials and the login success brings me to OKTA internal dashboard then I select the SAML app but instead of directing me to the elastic stack dashboard, it brings me back to OKTA. My configurations are shown thus:

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kibana-ingress
  namespace: default
  annotations:
    nginx.ingress.kubernetes.io/temporal-redirect: "https://o1labs.okta.com/"
spec:
  ingressClassName: nginx
  rules:
    - host: *.*.*.*
      http:
        paths:
          - pathType: Prefix
            backend:
              service:
                name: kibana-kibana
                port:
                  number: ****
            path: /
  # This section is only required if TLS is to be enabled for the Ingress

And the section of elastic.yaml configuration that concerns the SAML app is shown thus:

esConfig:
  elasticsearch.yml: |
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.transport.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.enabled: true
    xpack.security.http.ssl.truststore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack.security.http.ssl.keystore.path: /usr/share/elasticsearch/config/certs/elastic-certificates.p12
    xpack:
      security:
        authc:
          realms:
            saml:
              cloud-saml:
                order: 2
                attributes.principal: "nameid"
                attributes.groups: "groups"
                idp.metadata.path: "http://o1labs.okta.com/app/exk4y6vlpojJuBXfn5d7/sso/saml/metadata"
                idp.entity_id: "http://www.okta.com/exk4y6vlpojJuBXfn5d7"
                sp.entity_id: "http://node.status.o1test.net/"
                sp.acs: "http://node.status.o1test.net/"
                sp.logout: "http://node.status.o1test.net/logout"

I’d like to know how this could be sorted; this process will be called successful if I hit this URL http://node.status.o1test.net/ and it redirects to https://o1labs.okta.com/ then I log in with my credentials and the login success yields OKTA dashboard then when I hit the SAML app, it directs me to the actual elastic dashboard.

Please review and let me know if there are other questions - thanks a million!