Configuring Kibana

OpenID Connect authentication in Kibana requires a small number of additional settings in addition to the standard Kibana security configuration. The Kibana security documentation provides details on the available configuration options that you can apply.

In particular, since your Elasticsearch nodes have been configured to use TLS on the HTTP interface, you must configure Kibana to use a https URL to connect to Elasticsearch, and you may need to configure elasticsearch.ssl.certificateAuthorities to trust the certificates that Elasticsearch has been configured to use.

OpenID Connect authentication in Kibana is also subject to the xpack.security.sessionTimeout setting that is described in the Kibana security documentation, and you may wish to adjust this timeout to meet your local needs.

The three additional settings that are required for OpenID Connect support are shown below:

xpack.security.authc.providers:
  oidc.oidc1:
    order: 0
    realm: "oidc1"

The configuration values used in the example above are:

xpack.security.authc.providers
Add oidc provider to instruct Kibana to use OpenID Connect single sign-on as the authentication method. This instructs Kibana to attempt to initiate an SSO flow everytime a user attempts to access a URL in Kibana, if the user is not already authenticated. If you also want to allow users to login with a username and password, you must enable the basic authentication provider too. For example:
xpack.security.authc.providers:
  oidc.oidc1:
    order: 0
    realm: "oidc1"
  basic.basic1:
    order: 1

This will allow users that haven’t already authenticated with OpenID Connect to log in using the Kibana login form.

xpack.security.authc.providers.oidc.<provider-name>.realm
The name of the OpenID Connect realm in Elasticsearch that should handle authentication for this Kibana instance.