05 November 2018 Engineering

SAML and Multi-Factor Authentication in Elasticsearch Service

By Roy Zanbel

This blog covers two security features meant to provide you with an important integration with external identity providers, and the ability to enable multi-factor authentication when accessing your Elastic Cloud account.

SAML support in hosted deployments

Managing users is probably one of the bigger pain points in the life of an IT admin. There are various reasons why admins would want to have a single tool to manage user pools and group associations, which can then easily map to permissions in individual applications. This makes procedures like onboarding and off-loading employees much easier, simplifies enforcing passwords policies (yes, even “pa$$w0rd” is no longer secure), and it removes the need to manage multiple sets of credentials, by delegating authentication to your favourite identity provider and offers your users a single sign-on experience.

Security Assertion Markup Language (SAML) is one of the commonly used protocols to securely exchange authentication and authorization with different services. This integration has been supported in the Elastic Stack for some time and was one of the highly requested feature by our Elasticsearch Service users. We are very happy to say that it is now supported and can be enabled in your hosted Elasticsearch Service deployments from version 6.4 and above!

How do I enable SAML in my Elasticsearch Service hosted deployment?

Under the hood, we leverage the Elastic Stack security SAML integration, so it will come as no surprise that most of the configuration is very much the same. You can follow a step-by-step guide that will walk you through the configuration required to enable SAML for your Kibana instance and to start configuring role mapping. And, if you want to know how it works, you can read more about Elastic Stack SAML integration.

Multi-factor authentication

Databases with user credentials that have been breached or users storing credentials in publicly accessible repositories is something we hear about on almost a weekly basis. It’s events like these that make it common to require more than one authentication layer when trying to manage access to a service, by providing short-lived tokens that are much harder to obtain.

As part of a constant effort to make interactions with Elasticsearch Service more secure, we now support multi-factor authentication when accessing your Elastic Cloud account.

You can now navigate to a dedicated security page and enable either Google Authenticator or SMS as a second authentication factor on top of your username and password.

This feature is available for all Elasticsearch Service on Elastic Cloud subscriptions. You can read more about the procedure to enable multi-factor authentication in our user guide.

Want to take Elastic Cloud for a spin? sign up for a 14-day free trial of our Elasticsearch Service to see how it can make your life better.