Azure AD authentication to Kibana

Hello all -

I've scowered the archives of blog posts and similar questions regarding configuration of Azure AD for authentication to Kibana. I have updated my elasticsearch.yml file with the settings as best as I can figure out, and have also tried the route of creating an enterprise application from within Azure portal. Still, I am unable to get the authentication working. If there's anyone in that same boat of using Azure AD to login to your Kibana, please let me know how you got it to work! Thanks!

Kibana version 7.6.0.

How about you share with us:

• What you have done so far
• What is your current settings ( feel free to consistently mask sensitive data if you need to )
• How exactly this doesn't work. Where does it fail and how? What is the error message or logs.

and we take it from there?

Hi!

Sure, let's see if I can recap and explain better, I have been all over the board here as I am new to this.

I have an Azure AD, as mentioned. I really only need to use those Azure AD credentials to log into Kibana. That's the primary objective.

I since have found a blog about setting up an "Enterprise Application" in Azure AD, and configuring SSO within that Enterprise Application, so had been trying to go down that route too, but I am not sure if that is neccesary or not. In doing that, is where I got the connection strings that I put in elasticsearch.yml file as shown below.

security:
authc:
realms:
saml:
azuresaml:
order: 0
attributes.principal: "nameid:persistent"
idp.metadata.path: "https://login.microsoftonline.com/.../federationmetadata/2007-06/federationmetadata.xml?appid=..."
idp.entity_id: "https://sts.windows.net/.../"
sp.entity_id: "https://login.microsoftonline.com/.../saml2"
sp.acs: "https://login.microsoftonline.com/.../saml2"
sp.logout: "https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0"

Ok, so what else is needed? I wasn't sure if I need to put something in the kibana.yml file as well?? Also I am still confused on how I map the roles. Where and how do I do that for say, all users in an AzureAD group called "kibana admins" are admins in Kibana?

I just am not sure I have found any current or up to date documentation that steps me through configuration for current versions of kibana on current azure ad. Thanks so much for your help!

@forloop wrote an excellent answer here a few days ago which will hopefully set you up easily: SSO / Azure AD setup

If you have specific questions after going through that or you want us to clarify anything further, we'll be happy to do here.

This is super helpful and looks to be exactly what I am needing and looking for. I was really close on the right path, just realized one of my sources of pain is that I was editing the elasticsearch.yaml file, saving it and it was never actually applying the changes. I am using lens to view the file, I paste my yaml in, hit save, it says it saves successfully but I go back in and it is gone. I am wondering if its because the elasticsearch was installed with CRD and some how that has a definition that keeps overwriting my change?

Apologies but I don't follow you here. What is lens ? And what is CRD ?

So, Lens is just an app that gives me a UI to manage my kubernetes cluster where I have elasticsearch and kibana running. I can view the cluster, edit yml files, etc.

CRD is custom resource definition, which means it elasticsearch and kibana were installed via a custom resource definition file from the k8s cluster build. It seems like because of that, there is some forced configuration or sync happening where the CRD is mandating the elasticsearch.yml file be in sync with what it provisioned, and my changes are just immediately overwritten or reverted. I am guessing... I don't know. I just can't make any changes to that elasticsearch,yml file, they revert back right away.

Understood, I can't help with any of this unfortunately.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.