The OpenID Connect Provider

The OpenID Connect Provider (OP) is the entity in OpenID Connect that is responsible for authenticating the user and for granting the necessary tokens with the authentication and user information to be consumed by the Relying Parties.

In order for the Elastic Stack to be able use your OpenID Connect Provider for authentication, a trust relationship needs to be established between the OP and the RP. In the OpenID Connect Provider, this means registering the RP as a client. OpenID Connect defines a dynamic client registration protocol but this is usually geared towards real-time client registration and not the trust establishment process for cross security domain single sign on. All OPs will also allow for the manual registration of an RP as a client, via a user interface or (less often) via the consumption of a metadata document.

The process for registering the Elastic Stack RP will be different from OP to OP and following the provider’s relevant documentation is prudent. The information for the RP that you commonly need to provide for registration are the following:

  • Relying Party Name: An arbitrary identifier for the relying party. Neither the specification nor the Elastic Stack implementation impose any constraints on this value.
  • Redirect URI: This is the URI where the OP will redirect the user’s browser after authentication. The appropriate value for this will depend on your setup and whether or not Kibana sits behind a proxy or load balancer. It will typically be ${kibana-url}/api/security/v1/oidc where ${kibana-url} is the base URL for your Kibana instance. You might also see this called Callback URI.

At the end of the registration process, the OP will assign a Client Identifier and a Client Secret for the RP (Elastic Stack) to use. Note these two values as they will be used in the Elasticsearch configuration.