Elastic Cloud Kibana with Single Sign On from Azure Active Directory

Is it possible to use Azure Active Directory with the Elastic Cloud Kibana?

I see this other article, but it looks like this is probably on-premises?

and
https://www.elastic.co/guide/en/x-pack/current/active-directory-realm.html

If there is a good article to set this up that would be nice to see.

Thanks!

Jeff

Hi @jpigott,

Are you using our SaaS offering for Elastic Cloud? If so, I found this documentation that may help:

https://www.elastic.co/guide/en/cloud/current/ec-securing-clusters-SAML.html

Which references this blog post also:

Let us know if this helps,

Thanks,
Liza

Yes I am using your SaaS offering. It would be great if there was a walkthrough on how to do this step by step with Azure Active Directory. Thanks.

Thanks Jeff,

Yes I understand, let me check with one of our cloud experts @Alex_Piggott to see if knows of any other documentation or can help with steps.

Regards,
Liza

1 Like

Here's a list of the limitations around security features that you might want to check - https://www.elastic.co/guide/en/cloud/current/ec-restrictions.html#ec-restrictions-security.

As the AD integration use LDAP, AD is not supported at this stage sorry to say.

But, there is an AD product (Active Directory Federation Services) that provides SAML authentication on top of AD-DS, and "Azure AD" is Microsoft's cloud identity product which also supports SAML. So technically the AD suite of products can do SAML, but customers would reasonably expect that "Active Directory" means AD-DS unless we're really explicit about meaning something else.

The Elasticsearch feature called an "active directory" realm doesn't work in ESS. But customers who have the AD suite of products can authenticate to Kibana using SAML with ADFS.

1 Like

Ok thanks I am really just looking for setting up single sign on to Kibana. Are there limitations to having our clusters stood up in Azure vs. AWS for this setup. Have you successfully implemented this solutions with customers that use Azure Active Directory? This article references Azure Active Directory Premium as well which I'd like to confirm is needed, and wasn't sure if this was allowed to connect to the cloud instance.

Thanks!

Hi Jeff,

Are there limitations to having our clusters stood up in Azure vs. AWS for this setup.

No.

I have seen numerous cloud users setting up SAML SSO with Azure AD

The article refers to premium needed in Azure and explicitly mentions

Enabling SSO features for a non-gallery application in Azure Active Directory requires a premium tier of AAD. If you're running on the free or basic tier, it's possible to try the P2 premium tier features for free for a trial period, after which you need to decide whether to continue with it and be billed for usage, or to revert back to the free tier. For the purposes of this post, a trial of Azure Premium P2 will suffice.

I am unaware if this is still the case but your Azure support contact or their documentation would probably be a more authoritative source for this as this is an Azure AD and not an Elastic limitation.

A small comment here is that with SAML SSO, your Azure AD instance ( being the SAML Identity Provider ) and the Elastic Cloud instance ( being the SAML Service Provider ) do not need to connect to each other at all . The whole SSO flow happens through the user's browser.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.