Elasticsearch Cloud SSO with ActiveDirectory

We jut subscribed to ElasticCloud. In the process of implementing SSO with Active Directory.
Does SSO setup have to be done on a per deployment basis? The Kibana URLs I have used according to the following article:

are all specific to one deployment.
I intend to create Elasticsearch deployments on the fly. How will this SSO work in that scenario?

Thanks,
Tauqir

Hi @tchaudhry

The SSO setup is per deployment.

Deployments can be created via the Elastic Cloud API or the new (still in beta) Terraform provider. Provider Here and Github Here

The elasticsearch.yml settings can be provided to each so then the Auth / Auth can be setup as you deploy.

Hi Stephen, thanks,
I am using the terraform provider.

Is there a reference for the elasticsearch.yml settings corresponding to AD SAML SSO.

Thanks,
Tauqir

I would set it up manually first before I would try to automate here are the docs for SAML setup.

Also @tchaudhry this is Elastic Cloud so you can also open a support ticket if you run into issues

I did open a support ticket, but got more feedback from you so far.
Following this since we are 6.8.

This documentation is for an on prem or physical infra focused. I am wondering how to translate paths like "certs/http.p12" to the cloud instance.

The documents here below is for elastic cloud ..

Since it already secured you will not be providing your own certs.... you will be focusing on the SAML portions if you want to Connect with AD.

There may be some specifics for SAML for 6.8 ... but you won't be creating uploading your own certs.

You will put your SAML settings in the elasticsearch.yml from the cloud console

So I am getting a bunch of errors when saving elasticseach.yml (also tried the same in kibana.yml). Any idea what am I doing wrong

xpack:
  security:
    authc:
      realms:
        saml: 
          clarityfirst-sso:
            order: 2 
            attributes.principal: "mail" 
            attributes.groups: "groups" 
            idp.metadata.path: "https://login.microsoftonline.com/[tenantid]/federationmetadata/2007-06/federationmetadata.xml?appid=[sso app id]" 
            idp.entity_id: "https://sts.windows.net/[tenantid]/" 
            sp.entity_id: "https://[deployment].westus2.azure.elastic-cloud.com:9243" 
            sp.acs: "https://[deployment].westus2.azure.elastic-cloud.com:9243/api/security/v1/saml"
            sp.logout: "https://[deployment].westus2.azure.elastic-cloud.com:9243/logout"

Errors:

Elasticsearch - 'xpack.security.authc.realms.saml.clarityfirst-sso.order': is not allowed
Elasticsearch - 'xpack.security.authc.realms.saml.clarityfirst-sso.attributes.principal': is not allowed

many other not allowed errors, one for each line

I know I am not getting this right
xpack.security.authc.realms.saml.cloud-saml.*
from here
so trying this does not work either:

        saml: 
          cloud-saml:
            order: 2 

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.