Extending Shield 2.0 with custom plugin

security

(Curtis) #1

I am looking for information on authoring a Java plugin that extends Shield 2.0 capabilities. Specifically I want the plugin to use a custom library to authenticate a user based a SAML token. The SAML token contains claims that would then be used to tell Shield whether a user is authenticated and what their Shield "role" is.

Thanks in advance.

Update : I have the CustomRealmExamplePlugin working -- see https://github.com/elastic/shield-custom-realm-example

I'd like to change
public class CustomRealm extends Realm

so it will accept a SAML token passed in the HTTP header for authentication. I haven't had much luck finding documentation on what other types are available to hand to the Realm class or how to use them. Something like Realm or similar would be very helpful.

Thanks


(Jay Modi) #2

Hi Curtis,

I'm glad you found the custom realm plugin and were able to get it working. You're correct in that you will need to create your own realm like the CustomRealm.

A list of things that you will probably need to do:

  1. Create a SamlToken that implements AuthenticationToken
  2. Create a custom realm for SAML. This will need the ability to extract a SamlToken from a HTTP header (most likely Base64 encoded). The realm will also need to be able to verify the SAML token and extract the user identity plus authorization information (roles).
  3. Create a custom AuthenticationFailureHandler that will redirect requests to your authentication service when requests do not have a SAML token

Is there a SAML library that you are already planning to use?

-Jay


(Curtis) #3

Jay,

Thanks for your previous feedback -- I forgot to report back that we have our Custom Realm Shield Plugin working with SAML token authentication. Now we want to make it work with Kibana.

Our use case is Kibana users will use a login page that redirects them to Kibana with a SAML token in the HTTP Authorization header. We want Kibana to reject any access without a valid SAML token and pass the token to the Elasticsearch + Shield + Custom Realm Plugin on each call.

We are considering two possible options.

What would you recommend? I see that Kibana has new login page -- is there a way to plugin to it as I've described?

Thanks
Curtis


(Pierre Jacquot) #4

Hello Nielson,

We are working on a similar topic on our side.
Do you have any reference that may help us to implement this kind of solution.


(Curtis) #5

The CustomRealmExamplePlugin referenced above is a good place to start. see https://github.com/elastic/shield-custom-realm-example


(system) #6