These steps show how you can secure your Elasticsearch clusters and Kibana instances in a deployment by using a Security Assertion Markup Language (SAML) identity provider (IdP) for cross-domain, single sign-on authentication.
The steps in this section require an understanding of SAML, specifically the SAML 2.0 Web Browser SSO Profile. To learn more about SAML, see:
- Our blog post on how to enable SAML authentication in Kibana and Elasticsearch.
- Our documentation on configuring Elasticsearch for SAML authentication, especially the details on roles and attribute mappings.
You must edit your cluster configuration, sometimes also referred to as the deployment plan, to point to the SAML IdP before you can complete the configuration in Kibana.
- Create or use an existing deployment that includes a Kibana instance version 6.4 or later.
- Copy the Kibana endpoint URL.
Update your Elasticsearch user settings for the
samlrealm and specify your IdP provider configuration:
xpack: security: authc: realms: cloud-saml: type: saml order: 2 attributes.principal: "nameid:persistent" attributes.groups: "groups" idp.metadata.path: "<check with your idp provider>" idp.entity_id: "<check with your idp provider>" sp.entity_id: "KIBANA_ENDPOINT_URL/" sp.acs: "KIBANA_ENDPOINT_URL/api/security/v1/saml" sp.logout: "KIBANA_ENDPOINT_URL/logout"
You must use the SAML realm name
Defines the SAML attribute that is going to be mapped to the principal (username) of the authenticated user in Kibana. In this example,
urn:oasis:names:tc:SAML:2.0:nameid-format:persistentformat from the Subject of the SAML Assertion.
Defines the SAML attribute used for role mapping when configured in Kibana. Common choices are
attributes.groupsdepend on the IdP provider, so be sure to review their documentation.
The file path or the HTTPS URL where your IdP metadata is available, such as
The SAML EntityID of your IdP. This can be read from the configuration page of the IdP, or its SAML metadata, such as
KIBANA_ENDPOINT_URLwith the one noted in the previous step, such as
sp.entity_id: https://eddac6b924f5450c91e6ecc6d247b514.us-east-1.aws.found.io:9243/including the slash at the end.
The following request is an example how to map an
elasticadmingroup to the superuser role:
Update Kibana in the user settings configuration to use SAML as the authentication provider:
After completing these steps, you can log into Kibana by authenticating against your SAML IdP.