IdP Recommendations for SAML Auth


(dcam) #1

We are planning to move from Basic Auth to SAML Authentication.

Do you have any recomendations about which framework to use as SAML Client?

  • PingFederate
  • Keycloak
  • SAML Passport
  • etc

We would like to build the client in Angular Frontend.

Any Recomendations?

Thanks


(Tim Vernum) #2

We would like to build the client in Angular Frontend.

I'm a bit confused about what exactly you're asking.

  • Are you asking about an IdP to sit in front of the Elastic Stack
  • Or, do you want to build an application that sits in front of Elasticsearch and uses SAML to authenticate its users to Elasticsearch?
  • Or, are you just building a standalone application and want SAML advice?

If you can clarify what you're actually planning to implement/build we might be able to give you some pointers (though I'm unlikely to actually recommend any specific IdP).


(dcam) #3

Creating a frontend with Angular we will be able to integrate Kibana Iframes or a Link to kibana without having to provide credentials, due to we have already collected from the IdP


(Tim Vernum) #4

There's some challenges with making that approach work - it depends on whether your IdP allows authentication within iframe, which it may not. SAML is an OK, but not great technology for this sort of embedding. It's not really the problem it was designed to solve.

I'd recommend that you do a proof-of-concept very early on in your project to make sure you've got a setup that solves the problem you're after.

As far as your original question is concerned, I don't want to provide recommendations, but I am aware of people successfully integrating the Elastic Stack with the IdPs below. Some of those proved to be easier than others.

  • ADFS
  • Auth0
  • Azure AD
  • Google GSuite
  • Okta
  • OneLogin
  • PingIdentity
  • Shibboleth
  • SimpleSAMLphp

There's probably some others that I was told about but accidentally left of the list, and there would definitely be others that I'm simply not aware of.

In terms of deciding on which IdP to use, I would suggest you start with the following questions:

  • Do you want to run it on your own servers, or use a hosted solution?
  • What user repositories do you want it to integrate with (AD, LDAP, or have the IdP use its own internal user store)?
  • What sort of authentication mechanisms do you need? Just a simple username+password, or MFA, or TLS certificates?
  • Do you want additional authentication controls (IP filtering, time of day restrictions)?
  • How do you want to control access rights - both to gain access to the Elastic Stack, and to grant roles inside Elasticsearch (e.g. retrieve groups from LDAP, assign roles manually in the IdP) ?
  • Do you want to use this same IdP with additional applications?

In my experience IdPs that do less are easier to configure and work with, so if you pick an IdP that has lots of features that you don't need, you'll pay for that in complexity without getting any value from it.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.