Auto-authenticate Kibana 5.3 dashboard embedded in iframe

Auto-authenticate Kibana 5.3 dashboard embedded in iframe... For security we installed X pack..
Anyone help should be appreciated.

Hi @PrabakarKaruppasamy,

this is a commonly asked question, that has been discussed before in this forum. Please see these threads, among others:

Hi @weltenwort

Thanks for your response.
My requirement is need to do in programmatic way.

  1. Can I pass username and password as part of the embedded URL.
  2. Is there a way to make the ajax request to Kibana server and get the response and access the Iframe without showing the login screen of Kibana.

Making a preparatory ajax request to /api/security/v1/login to set the cookie as suggested in Authenticating to iframe-embedded Kibana dashboard might work. If the cookie is set correctly, the login screen should not be shown.

@weltenwort ... Thanks a lot... It is helpful too much

@weltenwort can we set up cross orgin header in Kibana?

My kibana server is runing in another IP. My nginx server in another domain. Can't able to login due to cross orgin issue.

You should be able to configure the CORS settings via the server.cors setting in kibana.yml, which will be forwarded to hapijs. For the valid values of that setting, please see the CORS-related settings in the hapi route options documentation. It would roughly look like this, but please check the linked documentation for specifics that might apply to your deployment environment:

  origin: ['YOUR', 'ORIGINS', 'HERE']
  credentials: true

I have configured like below..

origin: ['*']
credentials: true

But I can't able to start the kibana getting error like Kibana cros expection boolean parameter.

My apologies, I just noticed that according to the source it is supposed to be server.cors: true when not in development mode.

Is there any other way work around??

Is it possible to set this flag in kibana.yml, for an instance running on elastic cloud?

The kibana.yml settings on Elastic Cloud are not editable by the user yet. This is being worked on though. In the meantime you could ask Cloud support to change settings for you.

1 Like


Hi It is not working in Prod environment. Is there any other way or other work around.

Could you elaborate what "it" and "not working" means exactly in your case, please?

Sorry for late reply. I have configured in Kibana yml file like this server.cors: true but it is not reflected. It is running in AWS cloud.

With the server.cors: true setting, I am able to get the following CORS headers in the response:

$ http OPTIONS http://localhost:5601/login kbn-version:5.4.0 Origin: Access-Control-Request-Method:get
HTTP/1.1 200 OK
Connection: keep-alive
Date: Mon, 19 Jun 2017 08:12:25 GMT
access-control-allow-headers: Accept,Authorization,Content-Type,If-None-Match
access-control-allow-methods: get
access-control-expose-headers: WWW-Authenticate,Server-Authorization
access-control-max-age: 86400
cache-control: no-cache
content-length: 0
kbn-name: kibana
kbn-version: 5.4.0
kbn-xpack-sig: dd98667ca0fad49b443090b0770f1b9f
vary: accept-encoding

Can you compare that to the response you are getting from your Kibana server?

Sure. Thanks for the great information. Let me check


With server.cors: true am facing config error. Error Message - (FATAL { ValidationError: child "server" fails because [child "cors" fails because ["cors" must be an object]]). Kibana doesn't start. It is failed at the starting the kibana service

According to the source it expects a boolean in production mode and an object in development mode.

Here Source we can able to see the dev mode is false but 'server.cors: true' configuration not working.