I'm implementing SSO in my application where I have:
Scenario: 1 Use Kibana directly in browser
When I visit, Kibana URL such as this- https://xxx-yyy.eu-central-1.es.amazonaws.com/_plugin/kibana/ it redirects me to keycloak login page. After successful login on keycloak, it redirects to Kibana where I can see appropriate role assigned to my user (based on mapping I have created).
Everything works fine until now!
Scenario: 2 Embed Dashboard in External Portal
I have a dashboard in Kibana which I have shared as embedded iFrame. The iFrame code is added to my portal which is registered as OPEN ID Connect Client.
When I visit my portal, it successfully redirects me to login page of Keycloak and lets me authenticates against Keycloak. When the embedded iFrame gets renders, it shows error 400: Bad Request, Invalid Request Id
Following Request gets executed in iFrame which fails:
Request URL: https://xxx-yyy.eu-central-1.es.amazonaws.com/_plugin/kibana/_opendistro/_security/saml/acs
Request Method: POST
Status Code: 400
Remote Address: 54.93.149.42:443
Referrer Policy: strict-origin-when-cross-origin
:authority: xxx-yyy.eu-central-1.es.amazonaws.com
:method: POST
:path: /_plugin/kibana/_opendistro/_security/saml/acs
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: max-age=0
content-type: application/x-www-form-urlencoded
origin: https://keycloakdomain.com
referer: https://keycloakdomain.com/
sec-fetch-dest: iframe
sec-fetch-mode: navigate
sec-fetch-site: cross-site
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36 Edg/88.0.705.56
SAMLResponse: PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIERlc3RpbmF0aW9uPSJodHRwczovL3NlYXJjaC1pc2NvLWRldmVsb3BtZW50LWt6eHBpeWpvN2ZpNWJ1ZGJvdndtb2NwZW9pLmV1LWNlbnRyYWwtMS5lcy5hbWF6b25hd3MuY29tL19wbHVnaW4va2liYW5hL19vcGVuZGlzdHJvL19zZWN1cml0eS9zYW1sL2FjcyIgSUQ9IklEXzlmYWFjYmEyLWUxNzgtNDU3MS04MTg5LTJmYTFhNjAwOWI0ZiIgSW5SZXNwb25zZVRvPSJPTkVMT0dJTl8zY2ZlYmIwMC1mNTdhLTQ4MGItOGQyOC1jZTZkYTQ0NTlhYWUiIElzc3VlSW5zdGFudD0iMjAyMS0wMi0wNVQwODo1OTowNi4xMzRaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3Vlcj5odHRwczovL2xvZ2luLmlubm92ZW8uY29tL2F1dGgvcmVhbG1zL21hc3Rlcjwvc2FtbDpJc3N1ZXI+PGRzaWc6U2lnbmF0dXJlIHhtbG5zOmRzaWc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkc2lnOlNpZ25lZEluZm8+PGRzaWc6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkc2lnOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48ZHNpZzpSZWZlcmVuY2UgVVJJPSIjSURfOWZhYWNiYTItZTE3OC00NTcxLTgxODktMmZhMWE2MDA5YjRmIj48ZHNpZzpUcmFuc2Zvcm1zPjxkc2lnOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kc2lnOlRyYW5zZm9ybXM+PGRzaWc6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8+PGRzaWc6RGlnZXN0VmFsdWU+eDZleTZxa250aEsvRGY4Uk1PaFVBSGpZcHk1QnFuVnZUK0JwNXFZU3hZQT08L2RzaWc6RGlnZXN0VmFsdWU+PC9kc2lnOlJlZmVyZW5jZT48L2RzaWc6U2lnbmVkSW5mbz48ZHNpZzpTaWduYXR1cmVWYWx1ZT5TdU1zS21vVzNqSnJudEdZSmtrWHU2dllGRUQxYmFKUU5qZVN1dTh0ak1qeXgzSUJ0TnIwUU5aaU1OcTdJUTl4d2dVSjlFeldSQ0NtTWd3TFU1L0FsMk85RFBMYWpIcVc2Q2tPNGR2VS9YdHpWR25FcUdVbnVZN2NtUFBFQUtZUHRRODFOOGFlYmxiWFNEVHdlWVN1aXE1Z1ROcFZnbkZxRXBFTjFYSVV3Z0J6TzV6NjFhdmpsMmxjWW1HSUt1UThFMFI4TnZURENWM2cxZStFemhnQUN3cndtbmgvSUx2VWZOMDRtRTZWeTVCdk1GMVR5Ym9TZHZTbTFBUWl1bGJpblVXcVlZUWFXZmcvTkRHcHBCTzdxeGlPaXE0OHpjQVArc3RsVzRxOGhxVnR2UnArUUU5ZmJGVUJERzJBYWVQRVN2M3BQbU9YTE13bEJaYmVGSWcvNEE9PTwvZHNpZzpTaWduYXR1cmVWYWx1ZT48ZHNpZzpLZXlJbmZvPjxkc2lnOktleU5hbWU+TXZpcnZmREQwWlVCYWhvMmJ0WHBuUV9OQ0kwWFBwUmRfYWdCU2dHRHFIUTwvZHNpZzpLZXlOYW1lPjxkc2lnOlg1MDlEYXRhPjxkc2lnOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDbXpDQ0FZTUNCZ0Z5Uys2dWt6QU5CZ2txaGtpRzl3MEJBUXNGQURBUk1ROHdEUVlEVlFRRERBWnRZWE4wWlhJd0hoY05NakF3TlRJMU1UTXdNakV5V2hjTk16QXdOVEkxTVRNd016VXlXakFSTVE4d0RRWURWUVFEREFadFlYTjBaWEl3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRE0zNkNrWVdpQ0dEWmJnMW9LRE9ZNUZ0eGg4bStncmpaRHpOMTVsQ3ZkR3pxN1NFUG9EbWtqTzNMN2U5cTFjMEJRTzRCeW91M0lYMWJLUXk1cGFISE1iVXJudGI4cmxOREN4N3hOU25aeDBFNHowVDdIdWp0c1dZcUpsaFBkdnQzSmVTMFZUOTErTTFrQ0hMYUNOT01lLyt0aFZxYjA5bDdGQ2ZSSWNUOEg5ck5LRXM2TDZObHlaNHJHM3JsbzF1QWlwaExDaW5VOFVZRjd6dnJ4QkFablBMMit5d2lJNHNIRmlvNEpJUWw1Mm9yVENVNE13V3BBZzhCZ3gxc01WNG5reGNlZFpUclFZeDUyQ0QvRjBrcTdXWXRFWnhKVmFuc1gzbE9kWFR5bUJ3NHlGOEllVUR6VVBUVWhRU05sTjFzaTI2cGM2dTMramJoRnUrRGg2RHUzQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQlFyaFF6Qi9sam90T05MK2docFVmMlZnSFgvSzJNeWhsM1pSZ3N4alo5YmU2OGVxNEVWZ2g0M2Y2bHhLeWZRc0NwcEovTVV1NHRRbzV4T05Sb0FrV05zOTlsemFWSFl4anJnOSttWXZnNnhHRW0rMzJKOHQ4VWMzNTVTdTgrM2ExZ2RFSVIwQTFQTHlvSGpHVHdzV291Q1Y5OFdCOUdBdWxNdjgzUzNaWEZkWElFREpEQXJ0d2F4WldJYnhpTVhVTU55WERKbVZIZWJjYW5XVW8vVmV6TFArQ2FTK05qS3orbUdUNEgxYllNaFlyLzdob241YnNnb3M4K3FtRHAvWmx4OXhlTXlCbXZJNzBhOGJ2NjBiZ2pGeXJqNGZNWHBnUVRNUTB6K3lmYllUenFoN0k4RUFwUUJIYWR0MDBuWUFveVFTQWVBbmUwcEZmMHc0SUNiNWZ3PTwvZHNpZzpYNTA5Q2VydGlmaWNhdGU+PC9kc2lnOlg1MDlEYXRhPjxkc2lnOktleVZhbHVlPjxkc2lnOlJTQUtleVZhbHVlPjxkc2lnOk1vZHVsdXM+ek4rZ3BHRm9naGcyVzROYUNnem1PUmJjWWZKdm9LNDJROHpkZVpRcjNSczZ1MGhENkE1cEl6dHkrM3ZhdFhOQVVEdUFjcUx0eUY5V3lrTXVhV2h4ekcxSzU3Vy9LNVRRd3NlOFRVcDJjZEJPTTlFK3g3bzdiRm1LaVpZVDNiN2R5WGt0RlUvZGZqTlpBaHkyZ2pUakh2L3JZVmFtOVBaZXhRbjBTSEUvQi9helNoTE9pK2paY21lS3h0NjVhTmJnSXFZU3dvcDFQRkdCZTg3NjhRUUdaenk5dnNzSWlPTEJ4WXFPQ1NFSmVkcUswd2xPRE1GcVFJUEFZTWRiREZlSjVNWEhuV1U2MEdNZWRnZy94ZEpLdTFtTFJHY1NWV3A3Rjk1VG5WMDhwZ2NPTWhmQ0hsQTgxRDAxSVVFalpUZGJJdHVxWE9ydC9vMjRSYnZnNGVnN3R3PT08L2RzaWc6TW9kdWx1cz48ZHNpZzpFeHBvbmVudD5BUUFCPC9kc2lnOkV4cG9uZW50PjwvZHNpZzpSU0FLZXlWYWx1ZT48L2RzaWc6S2V5VmFsdWU+PC9kc2lnOktleUluZm8+PC9kc2lnOlNpZ25hdHVyZT48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24geG1sbnM9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIElEPSJJRF82MDk0YTY0Yi0wYTUxLTQwNTItODA0Ny01ZTczOGU5ZjllODMiIElzc3VlSW5zdGFudD0iMjAyMS0wMi0wNVQwODo1OTowNi4xMzRaIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3Vlcj5odHRwczovL2xvZ2luLmlubm92ZW8uY29tL2F1dGgvcmVhbG1zL21hc3Rlcjwvc2FtbDpJc3N1ZXI+PGRzaWc6U2lnbmF0dXJlIHhtbG5zOmRzaWc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPjxkc2lnOlNpZ25lZEluZm8+PGRzaWc6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkc2lnOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMDQveG1sZHNpZy1tb3JlI3JzYS1zaGEyNTYiLz48ZHNpZzpSZWZlcmVuY2UgVVJJPSIjSURfNjA5NGE2NGItMGE1MS00MDUyLTgwNDctNWU3MzhlOWY5ZTgzIj48ZHNpZzpUcmFuc2Zvcm1zPjxkc2lnOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzaWc6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8+PC9kc2lnOlRyYW5zZm9ybXM+PGRzaWc6RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8+PGRzaWc6RGlnZXN0VmFsdWU+R2VJZTdnRFlIakJ4UnVoT3NZbzNteW1oZUdFRDJOaFVqVDNnc2xBVEhzMD08L2RzaWc6RGlnZXN0VmFsdWU+PC9kc2lnOlJlZmVyZW5jZT48L2RzaWc6U2lnbmVkSW5mbz48ZHNpZzpTaWduYXR1cmVWYWx1ZT51aDBxbE5ObzNlb0RxazdxYU1mK05td0dtdjlhRG1FRFgyQU82RTRGOG1SRHhYcGViWVdkQys0UnFOUmtQSjE2V1NFck1qejZudXNKSHJtREtGY1JFeE9xSzBMSmRXRUJ3OC9kSGkxUlUza1JPcmtQb0NhTiswSXhNYTFodWNrSVkwWm5ZVFEzMkdMY0Y4L2JiR25OWTZ0WEs1RHRqT1VEMFdOZmhScWN2dFh3UDk4Y2hTN3dYNWlDQU9Gd2Vkb2svNEw4dDN6eHZMdUxxeTZlR3RqbkpKbEVwaWtDZkhVbDM2UmFRS2JENmxTVUxOc1RhdU54SEYwcmxhYTN0NzBhUHRXeVJtaGhMTWEyUjNVMU9NN0lSWFZYV3NZQjVlaUJ3MlZIcEFyY3BtdCswRUw0clBxMjBMdS9HemZOanlMNldLZWdscXNWNVZ5R0gxVkZCbEdaY2c9PTwvZHNpZzpTaWduYXR1cmVWYWx1ZT48ZHNpZzpLZXlJbmZvPjxkc2lnOktleU5hbWU+TXZpcnZmREQwWlVCYWhvMmJ0WHBuUV9OQ0kwWFBwUmRfYWdCU2dHRHFIUTwvZHNpZzpLZXlOYW1lPjxkc2lnOlg1MDlEYXRhPjxkc2lnOlg1MDlDZXJ0aWZpY2F0ZT5NSUlDbXpDQ0FZTUNCZ0Z5Uys2dWt6QU5CZ2txaGtpRzl3MEJBUXNGQURBUk1ROHdEUVlEVlFRRERBWnRZWE4wWlhJd0hoY05NakF3TlRJMU1UTXdNakV5V2hjTk16QXdOVEkxTVRNd016VXlXakFSTVE4d0RRWURWUVFEREFadFlYTjBaWEl3Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLQW9JQkFRRE0zNkNrWVdpQ0dEWmJnMW9LRE9ZNUZ0eGg4bStncmpaRHpOMTVsQ3ZkR3pxN1NFUG9EbWtqTzNMN2U5cTFjMEJRTzRCeW91M0lYMWJLUXk1cGFISE1iVXJudGI4cmxOREN4N3hOU25aeDBFNHowVDdIdWp0c1dZcUpsaFBkdnQzSmVTMFZUOTErTTFrQ0hMYUNOT01lLyt0aFZxYjA5bDdGQ2ZSSWNUOEg5ck5LRXM2TDZObHlaNHJHM3JsbzF1QWlwaExDaW5VOFVZRjd6dnJ4QkFablBMMit5d2lJNHNIRmlvNEpJUWw1Mm9yVENVNE13V3BBZzhCZ3gxc01WNG5reGNlZFpUclFZeDUyQ0QvRjBrcTdXWXRFWnhKVmFuc1gzbE9kWFR5bUJ3NHlGOEllVUR6VVBUVWhRU05sTjFzaTI2cGM2dTMramJoRnUrRGg2RHUzQWdNQkFBRXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQlFyaFF6Qi9sam90T05MK2docFVmMlZnSFgvSzJNeWhsM1pSZ3N4alo5YmU2OGVxNEVWZ2g0M2Y2bHhLeWZRc0NwcEovTVV1NHRRbzV4T05Sb0FrV05zOTlsemFWSFl4anJnOSttWXZnNnhHRW0rMzJKOHQ4VWMzNTVTdTgrM2ExZ2RFSVIwQTFQTHlvSGpHVHdzV291Q1Y5OFdCOUdBdWxNdjgzUzNaWEZkWElFREpEQXJ0d2F4WldJYnhpTVhVTU55WERKbVZIZWJjYW5XVW8vVmV6TFArQ2FTK05qS3orbUdUNEgxYllNaFlyLzdob241YnNnb3M4K3FtRHAvWmx4OXhlTXlCbXZJNzBhOGJ2NjBiZ2pGeXJqNGZNWHBnUVRNUTB6K3lmYllUenFoN0k4RUFwUUJIYWR0MDBuWUFveVFTQWVBbmUwcEZmMHc0SUNiNWZ3PTwvZHNpZzpYNTA5Q2VydGlmaWNhdGU+PC9kc2lnOlg1MDlEYXRhPjxkc2lnOktleVZhbHVlPjxkc2lnOlJTQUtleVZhbHVlPjxkc2lnOk1vZHVsdXM+ek4rZ3BHRm9naGcyVzROYUNnem1PUmJjWWZKdm9LNDJROHpkZVpRcjNSczZ1MGhENkE1cEl6dHkrM3ZhdFhOQVVEdUFjcUx0eUY5V3lrTXVhV2h4ekcxSzU3Vy9LNVRRd3NlOFRVcDJjZEJPTTlFK3g3bzdiRm1LaVpZVDNiN2R5WGt0RlUvZGZqTlpBaHkyZ2pUakh2L3JZVmFtOVBaZXhRbjBTSEUvQi9helNoTE9pK2paY21lS3h0NjVhTmJnSXFZU3dvcDFQRkdCZTg3NjhRUUdaenk5dnNzSWlPTEJ4WXFPQ1NFSmVkcUswd2xPRE1GcVFJUEFZTWRiREZlSjVNWEhuV1U2MEdNZWRnZy94ZEpLdTFtTFJHY1NWV3A3Rjk1VG5WMDhwZ2NPTWhmQ0hsQTgxRDAxSVVFalpUZGJJdHVxWE9ydC9vMjRSYnZnNGVnN3R3PT08L2RzaWc6TW9kdWx1cz48ZHNpZzpFeHBvbmVudD5BUUFCPC9kc2lnOkV4cG9uZW50PjwvZHNpZzpSU0FLZXlWYWx1ZT48L2RzaWc6S2V5VmFsdWU+PC9kc2lnOktleUluZm8+PC9kc2lnOlNpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OnVuc3BlY2lmaWVkIj5hbmphbGkubWFpdGhhbmk8L3NhbWw6TmFtZUlEPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uRGF0YSBJblJlc3BvbnNlVG89Ik9ORUxPR0lOXzNjZmViYjAwLWY1N2EtNDgwYi04ZDI4LWNlNmRhNDQ1OWFhZSIgTm90T25PckFmdGVyPSIyMDIxLTAyLTA1VDA5OjI5OjA0LjEzNFoiIFJlY2lwaWVudD0iaHR0cHM6Ly9zZWFyY2gtaXNjby1kZXZlbG9wbWVudC1renhwaXlqbzdmaTVidWRib3Z3bW9jcGVvaS5ldS1jZW50cmFsLTEuZXMuYW1hem9uYXdzLmNvbS9fcGx1Z2luL2tpYmFuYS9fb3BlbmRpc3Ryby9fc2VjdXJpdHkvc2FtbC9hY3MiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpDb25kaXRpb25zIE5vdEJlZm9yZT0iMjAyMS0wMi0wNVQwODo1OTowNC4xMzRaIiBOb3RPbk9yQWZ0ZXI9IjIwMjEtMDItMDVUMDk6Mjk6MDQuMTM0WiI+PHNhbWw6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDpBdWRpZW5jZT5odHRwczovL3NlYXJjaC1pc2NvLWRldmVsb3BtZW50LWt6eHBpeWpvN2ZpNWJ1ZGJvdndtb2NwZW9pLmV1LWNlbnRyYWwtMS5lcy5hbWF6b25hd3MuY29tPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAyMS0wMi0wNVQwODo1OTowNi4xMzRaIiBTZXNzaW9uSW5kZXg9ImRiZWVlMDFmLTdkYWItNDFiYy1iMzIzLWFjOWFmOWFhNzQyMjo6MGFkY2IwZjUtMjA5MS00NmVhLTkzMTMtMDY1YTBiODY5MTY1IiBTZXNzaW9uTm90T25PckFmdGVyPSIyMDIxLTAyLTA1VDE4OjU5OjA2LjEzNFoiPjxzYW1sOkF1dGhuQ29udGV4dD48c2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3Nlczp1bnNwZWNpZmllZDwvc2FtbDpBdXRobkNvbnRleHRDbGFzc1JlZj48L3NhbWw6QXV0aG5Db250ZXh0Pjwvc2FtbDpBdXRoblN0YXRlbWVudD48c2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlIE5hbWU9IktpYmFuYUJhY2tlbmRSb2xlcyIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj4va2V5Y2xvYWstaXNjby1hZG1pbjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==
I have verified the SAML Response above and I can see the response is correct.
Here is SAML AuthNRequest for above request:
<?xml version="1.0"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_3cfebb00-f57a-480b-8d28-ce6da4459aae" Version="2.0" IssueInstant="2021-02-05T08:59:05Z" Destination="https://login.innoveo.com/auth/realms/master/protocol/saml" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://search-isco-development-kzxpiyjo7fi5budbovwmocpeoi.eu-central-1.es.amazonaws.com/_plugin/kibana/_opendistro/_security/saml/acs">
<saml:Issuer>
https://search-isco-development-kzxpiyjo7fi5budbovwmocpeoi.eu-central-1.es.amazonaws.com
</saml:Issuer>
<samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true"/>
</samlp:AuthnRequest>
The problem is not with ELK or how SAML works, the problem we found is with new browser security called "SameSiteCookie" attribute.
By default modern browser does not allow cookies to be shared across domain and this was the problem.
The moment I go and change this setting manually in browser, everything starts working fine.
For Elastic version of ELK - there is a setting called - xpack.security.sameSiteCookies
For Open Distro version of ELK - there is a setting called - opendistro_security.cookie.sameSite
If you are using AWS ElasticSearch service then you cannot set opendistro_security.cookie.sameSite which is a limitation which forced us to move out of AWS ElasticSearch.