We upgraded from Kibana 8.9.0 to 9.2.0 and our previous integration stopped working. Earlier, our external application (Application A) used the /internal/security/login endpoint to authenticate users programmatically and pass the Kibana session cookie into an embedded iframe, so users were auto-logged in. After upgrading, this endpoint now returns “400 Bad Request: uri [/internal/security/login] exists but is not available with the current configuration.” It appears Kibana 9.x restricts internal APIs by default. We’d like to know if there’s any configuration or supported way to restore seamless login behavior—perhaps using /api/security/login, SSO, or specific cookie settings for iframe embedding.
Hi @Shivam_Mahajan,
Welcome! There is support for SAML to enable SSO-based authentication as outlined here. It is a licensed feature (Platinum and above as per the subscription guide). This can be used as a provider invoked in the URL passed to the iframe as per this guide.
The alternative option is to use anonymous access to set a particular user and role for anonymous requests, but I have a feeling you're looking for option 1.
Hope that helps!
Thank you for the response.
We would prefer to achieve this using the basic (non-licensed) features only. Our setup involves an external application (Application A) that embeds Kibana within an iframe. Previously, in version 8.9.0, Application A used the /internal/security/login endpoint to programmatically authenticate users by sending their credentials, obtaining the session cookie, and then injecting that cookie into the embedded iframe so that users were automatically logged in to Kibana.
After upgrading to Kibana 9.2.0, this approach no longer works, as the /internal/security/login endpoint now returns a 400 error indicating it’s unavailable with the current configuration.
We’d like to know if there’s any supported way within the Basic license to accomplish a similar seamless login flow. Specifically, since Application A is using an iframe to display the Kibana webview, we’re exploring whether it’s possible to inject a JavaScript function that silently opens the Kibana login screen in the background, performs a POST request with username and password, and sets the session cookie automatically — so that when the iframe loads, the user is already authenticated.
Could you please confirm if this kind of programmatic authentication flow is still possible in Kibana 9.x under the Basic license, or if there’s another supported mechanism for achieving equivalent behavior?