I'm looking for some guidance on how best to implement access security to search. My search clients are all Windows apps running in an AD domain. I have configured Elasticsearch with a Kerberos realm for authentication and an Active Directly realm for authorization. I've mapped AD groups to Elasticsearch roles and everything is working as expected. However, I can see that every search request from the client takes two HTTP requests, one that receive the 401 challenge followed by a second that provides the kerberos ticket. To avoid the double hit on every search request I am using the Token api to generate a "session" token that I can send along with all subsequent search requests after the initial kerberos exchange. One concern I had is that I have to give "manage_token" access to the groups that will use the client application in order to be able to call the Token API.
My question is, is this a proper approach to handling SSO in my environment. Is there a better implementation approach that I'm just not aware of or a way to avoid having to use a token?