OpenID Connect authentication in Kibana requires a small number of additional settings in addition to the standard Kibana security configuration. The Kibana security documentation provides details on the available configuration options that you can apply.
In particular, since your Elasticsearch nodes have been configured to use TLS on the HTTP
interface, you must configure Kibana to use a
https URL to connect to Elasticsearch, and
you may need to configure
elasticsearch.ssl.certificateAuthorities to trust
the certificates that Elasticsearch has been configured to use.
OpenID Connect authentication in Kibana is subject to the following timeout settings in
You may want to adjust these timeouts based on your security requirements.
The three additional settings that are required for OpenID Connect support are shown below:
xpack.security.authc.providers: oidc.oidc1: order: 0 realm: "oidc1"
The configuration values used in the example above are:
oidcprovider to instruct Kibana to use OpenID Connect single sign-on as the authentication method. This instructs Kibana to attempt to initiate an SSO flow everytime a user attempts to access a URL in Kibana, if the user is not already authenticated. If you also want to allow users to login with a username and password, you must enable the
basicauthentication provider too. For example:
xpack.security.authc.providers: oidc.oidc1: order: 0 realm: "oidc1" basic.basic1: order: 1
This will allow users that haven’t already authenticated with OpenID Connect to log in using the Kibana login form.
- The name of the OpenID Connect realm in Elasticsearch that should handle authentication for this Kibana instance.