Elastic Cloud/Kibana Embed Authentication

I would like the users of my web app to access Kibana Cloud dashboard by embedding them into the app. Users access my app via Auth0. I am using Elastic Cloud with Kibana.
I need help understanding how to implement these two options:

  1. Maybe use my Auth0 account to also sign the users into elastic kibana via SSO?
  2. Or a Service account that logs into kibana on behalf of the logged in user.

I need to find the right docs that do either of these via Elastic Cloud specifically, as I do not manage the backend configuration myself. For example, how do I setup a service account login and enable anonymous authentication specifically in Elastic Cloud, not self- managed.

Ideally, I could leverage Auth0 since I'm aleady using it.
Any recommendations to make it as secure as possible either way?

Hi @Donnie_Kerr Welcome to the community!

I think I answered most of this here If I understand what you're trying to do.

You will create a role that represents the access that you want and assign that to the user that you use for the anonymous user

You can also take out the other normal basic and elastic cloud SSO logins

xpack.security.authc.providers:
  basic.basic1:   <!--- TAKE out this if you don't want normal login
    order: 0    <!--- TAKE out this if you don't want normal login
  anonymous.anonymous1:
    order: 1
    credentials:
      username: "dashboard-user"
      password: "dashboard1234!"

Kibana Available Settings in Elastic Cloud here

to disable the Cloud Kibana SSO
In your kibana.yml setting on the edit deployment page
This is kinda a hidden / inferred setting
xpack.security.authc.providers.saml.cloud-saml-kibana.showInSelector: false

If you don’t want a specific provider to show up at the Login Selector UI (e.g. to only support third-party initiated login) you can hide it with showInSelector setting set to false. However, in this case, the provider is presented in the provider chain and may be consulted during authentication based on its order. To disable the provider, use the enabled setting.

1 Like

Thank you @stephenb . Very helpful. I decided to try the saml option in my Auth0 so it can be more secure than anonymous. I think I got it working because SSO works when logging into kibana or through my app with same Auth0 user.
My question to you is how do I ensure the embed is actually using the saml? I tried setting the iframe auth_provider_hint=saml.cloud-saml . Is that correct way to do it?

xpack.security.authc.providers:
  saml.cloud-saml:
    order: 0
    realm: cloud-saml
    description: "Log in with SSO"
    icon: logoElasticsearch
    hint: "Typically for most users"
 <iframe src="XXXXX.azure.elastic-cloud.com:9243/app/dashboards?auth_provider_hint=saml.cloud-saml#/view/cc86d970-0c2b-11ed-89af-5b1edde95357?embed=true&_g=(filters%3A!()%2CrefreshInterval%3A(pause%3A!t%2Cvalue%3A0)%2Ctime%3A(from%3Anow-15d%2Cto%3Anow))" height="600" width="800"></iframe>

Great on the SAML / SSO!

I do not know the iframe answer (not a front end developer) perhaps someone else will.

If you only have 1 provider that will be the only it can use.. but I am guessing you want more than 1 auth provider.

But yes that looks correct you just need to make sure you use the correct selector

BTW you put your full URL.

Thanks. I edited the url.
In the embed frame it prompts me to login with SSO or login with Elastic Cloud (as admin) . Somehow it still gives that option even when only saml.cloud-saml is there.
Appreciate the help ... learned some things today so I appreciate you pointing me in the general direction!

Try this it is always there this should turn it off as an option on Kibana login page that was buried in my stuff above

xpack.security.authc.providers.saml.cloud-saml-kibana.showInSelector: false

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.