We jut subscribed to ElasticCloud. In the process of implementing SSO with Active Directory.
Does SSO setup have to be done on a per deployment basis? The Kibana URLs I have used according to the following article:
Having issues getting SAML based SSO setup for Azure AD. Not sure where to get the Identifier / Entity ID, Reply URL etc.. from
are all specific to one deployment.
I intend to create Elasticsearch deployments on the fly. How will this SSO work in that scenario?
Thanks,
Tauqir
stephenb
(Stephen Brown)
March 1, 2021, 10:05pm
2
Hi @tchaudhry
The SSO setup is per deployment.
Deployments can be created via the Elastic Cloud API or the new (still in beta) Terraform provider. Provider Here and Github Here
The elasticsearch.yml settings can be provided to each so then the Auth / Auth can be setup as you deploy.
Hi Stephen, thanks,
I am using the terraform provider.
Is there a reference for the elasticsearch.yml settings corresponding to AD SAML SSO.
Thanks,
Tauqir
stephenb
(Stephen Brown)
March 1, 2021, 10:59pm
4
I would set it up manually first before I would try to automate here are the docs for SAML setup.
Also @tchaudhry this is Elastic Cloud so you can also open a support ticket if you run into issues
I did open a support ticket, but got more feedback from you so far.
Following this since we are 6.8.
This documentation is for an on prem or physical infra focused. I am wondering how to translate paths like "certs/http.p12" to the cloud instance.
stephenb
(Stephen Brown)
March 1, 2021, 11:35pm
6
The documents here below is for elastic cloud ..
Since it already secured you will not be providing your own certs.... you will be focusing on the SAML portions if you want to Connect with AD.
There may be some specifics for SAML for 6.8 ... but you won't be creating uploading your own certs.
You will put your SAML settings in the elasticsearch.yml from the cloud console
So I am getting a bunch of errors when saving elasticseach.yml (also tried the same in kibana.yml). Any idea what am I doing wrong
xpack:
security:
authc:
realms:
saml:
clarityfirst-sso:
order: 2
attributes.principal: "mail"
attributes.groups: "groups"
idp.metadata.path: "https://login.microsoftonline.com/[tenantid]/federationmetadata/2007-06/federationmetadata.xml?appid=[sso app id]"
idp.entity_id: "https://sts.windows.net/[tenantid]/"
sp.entity_id: "https://[deployment].westus2.azure.elastic-cloud.com:9243"
sp.acs: "https://[deployment].westus2.azure.elastic-cloud.com:9243/api/security/v1/saml"
sp.logout: "https://[deployment].westus2.azure.elastic-cloud.com:9243/logout"
Errors:
Elasticsearch - 'xpack.security.authc.realms.saml.clarityfirst-sso.order': is not allowed
Elasticsearch - 'xpack.security.authc.realms.saml.clarityfirst-sso.attributes.principal': is not allowed
many other not allowed errors, one for each line
I know I am not getting this right
xpack.security.authc.realms.saml.cloud-saml.*
from here
so trying this does not work either:
saml:
cloud-saml:
order: 2
system
(system)
Closed
March 30, 2021, 7:23pm
9
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.