OpenID Connect authentication in Kibana requires a small number of additional settings in addition to the standard Kibana security configuration. The Kibana security documentation provides details on the available configuration options that you can apply.
In particular, since your Elasticsearch nodes have been configured to use TLS on the HTTP
interface, you must configure Kibana to use a
https URL to connect to Elasticsearch, and
you may need to configure
elasticsearch.ssl.certificateAuthorities to trust
the certificates that Elasticsearch has been configured to use.
OpenID Connect authentication in Kibana is also subject to the
xpack.security.sessionTimeout setting that is described in the Kibana security
documentation, and you may wish to adjust this timeout to meet your local needs.
The three additional settings that are required for OpenID Connect support are shown below:
xpack.security.authProviders: [oidc] xpack.security.authc.oidc.realm: "oidc1" server.xsrf.whitelist: [/api/security/v1/oidc]
The configuration values used in the example above are:
- Set this to
[ oidc ]to instruct Kibana to use OpenID Connect single sign-on as the authentication method. This instructs Kibana to attempt to initiate an SSO flow everytime a user attempts to access a URL in Kibana, if the user is not already authenticated. If you also want to allow users to login with a username and password, you must enable the
basicauthProvider too. For example:
xpack.security.authProviders: [oidc, basic]
This will allow users that haven’t already authenticated with OpenID Connect to
navigate directly to the
/login page in Kibana in order to use the login form.
- The name of the OpenID Connect realm in Elasticsearch that should handle authentication for this Kibana instance.
- Kibana has in-built protection against Cross Site Request Forgery attacks, which is designed to prevent the Kibana server from processing requests that originated from outside the Kibana application. In order to support OpenID Connect messages that originate from your OP or a third party (see Third party initiated single sign-on, we need to explicitly whitelist the OpenID Connect authentication endpoint within Kibana, so that the Kibana server will not reject these external messages.