Hello,
I have this use case: I want to have a web page (with authentication) with my kibana visualization embedded with different permissions. I want to have various users and match the user permissions of the web page with the user permissions in kibana. I was trying to POST the credentials in the web page when accessing the kibana visualizations, but no success yet (the browser is always blocking me). What is the best way to do this? Any suggestion?
Thank you,
Francisca
Hey @Francisca_Lima, Kibana's CORS policy will prevent you from posting the user's credentials to the login endpoint.
The best option is to do SSO using SAML. The ES docs for getting started using SAML are really good: https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-saml-realm.html
The other option, which has it's limitations, is to use a reverse-proxy like NGINX to hard-code the credentials that are passed to Elasticsearch. This isn't great because anyone who can access the reverse proxy can automatically get access to Kibana, so it's really only good for providing the equivalent of "anonymous access".
There is one other option at the moment, and that's to use something like an OAuth2 proxy to do impersonation: https://www.elastic.co/blog/user-impersonation-with-x-pack-integrating-third-party-auth-with-kibana
We're working on additional auth providers for ES/Kibana, so if none of this satisfies your needs, please let me know and I can direct you towards our feature requests which helps us prioritize the addition of these providers.
I would like to use a iframe to directly access my dahsboard without having to authenticate before. Using nginx, I would have to authenticate either way in a box, which I would like to pass if the use is already authenticated in my web page. I tried to send my credentials to this box of nginx, but I can do it. Any suggestion here?
Is there any way to put those credentials in my iframe link without be blocked by browser CORS policy?
The solution is SSO using SAML?
Hey @Francisca_Lima, are you wanting to always authenticate as the same user when accessing Kibana via the iframe, or do you want the user to be authenticated dynamically based on them logging into the application which contains the iframe?
I want the user to be authenticated dynamically based on them logging into the application which contains the iframe.
I want the user to be authenticated dynamically based on them logging into the application which contains the iframe.
In that case, using SSO is the currently supported approach, which only the SAML provider provides at the moment.
Putting the credentials directly in the iframe URL is incredibly insecure, which is why this isn't supported at the moment.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.