Kibana handle multiple authentication methods

Elastic Stack Kibana
#1

Hello,

we have some questions about how to handle multiple authentication methods in Kibana. It would be great if we can learn from you and your solutions or your ideas.

at the moment we can offer three different authentication methods:

  • native
  • saml
  • oidc

there is an interesting UI selector where users can select which authentication method they want to use.

  • is it possible to use this UI selector only when the prefered (highest order setting) failed ?
  • or can we configure the UI selector behind a different endpoint ?

Also there is the "/login" option for using native authentication.

Or do you have other solutions how to handle our requirements ?

  • native authentication via /login for administrators --> check
  • oidc realm for all users (default setting)
  • saml as fallback if oidc is not working

best regards

#2

Hi,

I think this is done by Kibana if you configure e.g. native and activeDirectory(password will be checked against native and then against AD). But native, saml and oidc are totally different so I guess that will not work.

I have not found the documentation link for it - only the reference for anonymous access here but you should be able to call Kibana like this: https://localhost:5601/app/monitoring?auth_provider_hint=saml1 which should try to use the Saml provider.

I think you should also be able to install two separate Kibana installations:

  • one has native authentication and has a very restricted firewall because only the admins should be able to access this
  • one has oidc and saml configured

Be aware that some settings have to be the same across all kibana instances: Use Kibana in a production environment | Kibana Guide [7.11] | Elastic

Best regards
Wolfram

#3

thanks for your answers !

maybe it is possible to redirect to another URL endpoint

my-kibana-url.com/login was the solution for administration to authenticate via basic authentication while for my-kibana-url.com another authentication method is configured.

this is interesting. we will test it ! :slight_smile:

this is also a good idea. maybe this can be our workaround.

#4

@Wolfram_Haussig hey, i am back again with a lot of testing:

https://my-url:5601/app/monitoring?auth_provider_hint=saml1

did not work as expected...

i really like this idea, so i started a lot of testing.
in my test setup i have 1x nginx server and 2x kibana server on different nodes.
nginx conf looks like this:

upstream kibana-oidc1 {
    ip_hash;
    server x.x.x.x:5601; --> kibana server 1
}
upstream kibana-saml {
    ip_hash;
    server x.x.x.x:5601; --> kibana server 2
}
location / {
    proxy_pass http://kibana-oidc1;
    proxy_redirect off;
    proxy_buffering off;
    proxy_read_timeout 300s;
    proxy_http_version 1.1;
    proxy_set_header Connection "Keep-Alive";
}
location /saml/ {
    proxy_pass http://kibana-saml;
    proxy_redirect off;
    proxy_buffering off;
    proxy_read_timeout 300s;
    proxy_http_version 1.1;
    proxy_set_header Connection "Keep-Alive";
    rewrite ^ http://my-url/saml;
}

in kibana.yml on kibana 2:

server.basePath: "/saml"

my-url/ --> use kibana server 1 with oidc1 (only oidc configured)
my-url/saml --> use kibana server 2 with saml (only oidc configured)

but I am not able to make it work the way I expect it to.
do you have an example how to handle your idea without using complete different kibana urls ?
my-url/ should always be the same and not my-other-url/.

best regards

#5

Hi,

Unfortunately, I am not experienced with nginx as we explicitly want to have different Kibana Urls so the firewall ensures the admin interface is secure.

I am sure there are users here that are able to help you with this question far better than myself :slight_smile:

Best regards
Wolfram

#6

do others have any ideas ?

#7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.