I am looking for information on authoring a Java plugin that extends Shield 2.0 capabilities. Specifically I want the plugin to use a custom library to authenticate a user based a SAML token. The SAML token contains claims that would then be used to tell Shield whether a user is authenticated and what their Shield "role" is.
I'd like to change
public class CustomRealm extends Realm
so it will accept a SAML token passed in the HTTP header for authentication. I haven't had much luck finding documentation on what other types are available to hand to the Realm class or how to use them. Something like Realm or similar would be very helpful.
I'm glad you found the custom realm plugin and were able to get it working. You're correct in that you will need to create your own realm like the CustomRealm.
A list of things that you will probably need to do:
Create a SamlToken that implements AuthenticationToken
Create a custom realm for SAML. This will need the ability to extract a SamlToken from a HTTP header (most likely Base64 encoded). The realm will also need to be able to verify the SAML token and extract the user identity plus authorization information (roles).
Create a custom AuthenticationFailureHandler that will redirect requests to your authentication service when requests do not have a SAML token
Is there a SAML library that you are already planning to use?
Thanks for your previous feedback -- I forgot to report back that we have our Custom Realm Shield Plugin working with SAML token authentication. Now we want to make it work with Kibana.
Our use case is Kibana users will use a login page that redirects them to Kibana with a SAML token in the HTTP Authorization header. We want Kibana to reject any access without a valid SAML token and pass the token to the Elasticsearch + Shield + Custom Realm Plugin on each call.
We are considering two possible options.
What would you recommend? I see that Kibana has new login page -- is there a way to plugin to it as I've described?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.