Security settings in Kibana

You do not need to configure any additional settings to use the security features in Kibana. They are enabled by default.

General security settings

xpack.security.enabled

By default, Kibana automatically detects whether to enable the security features based on the license and whether Elasticsearch security features are enabled.

Do not set this to false; it disables the login form, user and role management screens, and authorization using Kibana privileges. To disable security features entirely, see Elasticsearch security settings.

xpack.security.audit.enabled

Set to true to enable audit logging for security events. By default, it is set to false. For more details see Audit logs.

Authentication security settings

You configure authentication settings in the xpack.security.authc namespace in kibana.yml.

For example:

xpack.security.authc:
    providers:
      basic.basic1: 
          order: 0 
          ...

      saml.saml1: 
          order: 1
          ...

      saml.saml2: 
          order: 2
          ...

      pki.realm3:
          order: 3
          ...
    ...

Specifies the type of authentication provider (for example, basic, token, saml, oidc, kerberos, pki) and the provider name. This setting is mandatory.

Specifies the order of the provider in the authentication chain and on the Login Selector UI. This setting is mandatory.

Specifies the settings for the SAML authentication provider with a saml1 name.

Specifies the settings for the SAML authentication provider with a saml2 name.

The valid settings in the xpack.security.authc.providers namespace vary depending on the authentication provider type. For more information, refer to Authentication.

Valid settings for all authentication providers

xpack.security.authc.providers. <provider-type>.<provider-name>.enabled

Determines if the authentication provider should be enabled. By default, Kibana enables the provider as soon as you configure any of its properties.

xpack.security.authc.providers. <provider-type>.<provider-name>.order

Order of the provider in the authentication chain and on the Login Selector UI.

xpack.security.authc.providers. <provider-type>.<provider-name>.description

Custom description of the provider entry displayed on the Login Selector UI.

xpack.security.authc.providers. <provider-type>.<provider-name>.hint

Custom hint for the provider entry displayed on the Login Selector UI.

xpack.security.authc.providers. <provider-type>.<provider-name>.icon

Custom icon for the provider entry displayed on the Login Selector UI.

xpack.security.authc.providers. <provider-type>.<provider-name>.showInSelector

Flag that indicates if the provider should have an entry on the Login Selector UI. Setting this to false doesn’t remove the provider from the authentication chain.

You are unable to set this setting to false for basic and token authentication providers.

xpack.security.authc.providers. <provider-type>.<provider-name>.accessAgreement.message

Access agreement text in Markdown format. For more information, refer to Access agreement.

SAML authentication provider settings

In addition to the settings that are valid for all providers, you can specify the following settings:

xpack.security.authc.providers. saml.<provider-name>.realm

SAML realm in Elasticsearch that provider should use.

xpack.security.authc.providers. saml.<provider-name>.maxRedirectURLSize

The maximum size of the URL that Kibana is allowed to store during the authentication SAML handshake. For more information, refer to SAML and long URLs.

OpenID Connect authentication provider settings

In addition to the settings that are valid for all providers, you can specify the following settings:

xpack.security.authc.providers. oidc.<provider-name>.realm

OpenID Connect realm in Elasticsearch that the provider should use.

HTTP authentication settings

There is a very limited set of cases when you’d want to change these settings. For more information, refer to HTTP authentication.

xpack.security.authc.http.enabled

Determines if HTTP authentication should be enabled. By default, this setting is set to true.

xpack.security.authc.http.autoSchemesEnabled

Determines if HTTP authentication schemes used by the enabled authentication providers should be automatically supported during HTTP authentication. By default, this setting is set to true.

xpack.security.authc.http.schemes

List of HTTP authentication schemes that Kibana HTTP authentication should support. By default, this setting is set to ['apikey'] to support HTTP authentication with ApiKey scheme.

Login Selector UI settings

xpack.security.authc.selector.enabled

Determines if the Login Selector UI should be enabled. By default, this setting is set to true if more than one authentication provider is configured.

User interface security settings

You can configure the following settings in the kibana.yml file.

xpack.security.cookieName

Sets the name of the cookie used for the session. The default value is "sid".

xpack.security.encryptionKey

An arbitrary string of 32 characters or more that is used to encrypt credentials in a cookie. It is crucial that this key is not exposed to users of Kibana. By default, a value is automatically generated in memory. If you use that default behavior, all sessions are invalidated when Kibana restarts. In addition, high-availability deployments of Kibana will behave unexpectedly if this setting isn’t the same for all instances of Kibana.

xpack.security.secureCookies

Sets the secure flag of the session cookie. The default value is false. It is automatically set to true if server.ssl.enabled is set to true. Set this to true if SSL is configured outside of Kibana (for example, you are routing requests through a load balancer or proxy).

xpack.security.sameSiteCookies

Sets the SameSite attribute of the session cookie. This allows you to declare whether your cookie should be restricted to a first-party or same-site context. Valid values are Strict, Lax, None. This is not set by default, which modern browsers will treat as Lax. If you use Kibana embedded in an iframe in modern browsers, you might need to set it to None. Setting this value to None requires cookies to be sent over a secure connection by setting xpack.security.secureCookies: true. Some old versions of IE11 do not support SameSite: None.

xpack.security.session.idleTimeout

Sets the session duration. By default, sessions stay active until the browser is closed. When this is set to an explicit idle timeout, closing the browser still requires the user to log back in to Kibana.

The format is a string of <count>[ms|s|m|h|d|w|M|Y] (e.g. 70ms, 5s, 3d, 1Y).

xpack.security.session.lifespan

Sets the maximum duration, also known as "absolute timeout". By default, a session can be renewed indefinitely. When this value is set, a session will end once its lifespan is exceeded, even if the user is not idle. NOTE: if idleTimeout is not set, this setting will still cause sessions to expire.

The format is a string of <count>[ms|s|m|h|d|w|M|Y] (e.g. 70ms, 5s, 3d, 1Y).

xpack.security.loginAssistanceMessage

Adds a message to the login screen. Useful for displaying information about maintenance windows, links to corporate sign up pages etc.

xpack.security.loginHelp

Adds a message accessible at the Login Selector UI with additional help information for the login process.