Configuring single sign-on to the Elastic Stack using OpenID Connectedit

The Elastic Stack supports single sign-on (SSO) using OpenID Connect via Kibana using Elasticsearch as the backend service that holds most of the functionality. Kibana and Elasticsearch together represent an OpenID Connect Relying Party (RP) that supports the authorization code flow and implicit flow as these are defined in the OpenID Connect specification.

This guide assumes that you have an OpenID Connect Provider where the Elastic Stack Relying Party will be registered.

The OpenID Connect realm support in Kibana is designed with the expectation that it will be the primary authentication method for the users of that Kibana instance. The Configuring Kibana section describes what this entails and how you can set it up to support other realms if necessary.