Kibana handle multiple authentication methods

Hello,

we have some questions about how to handle multiple authentication methods in Kibana. It would be great if we can learn from you and your solutions or your ideas.

at the moment we can offer three different authentication methods:

  • native
  • saml
  • oidc

there is an interesting UI selector where users can select which authentication method they want to use.

  • is it possible to use this UI selector only when the prefered (highest order setting) failed ?
  • or can we configure the UI selector behind a different endpoint ?

Also there is the "/login" option for using native authentication.

Or do you have other solutions how to handle our requirements ?

  • native authentication via /login for administrators --> check
  • oidc realm for all users (default setting)
  • saml as fallback if oidc is not working

best regards

Hi,

I think this is done by Kibana if you configure e.g. native and activeDirectory(password will be checked against native and then against AD). But native, saml and oidc are totally different so I guess that will not work.

I have not found the documentation link for it - only the reference for anonymous access here but you should be able to call Kibana like this: https://localhost:5601/app/monitoring?auth_provider_hint=saml1 which should try to use the Saml provider.

I think you should also be able to install two separate Kibana installations:

  • one has native authentication and has a very restricted firewall because only the admins should be able to access this
  • one has oidc and saml configured

Be aware that some settings have to be the same across all kibana instances: Use Kibana in a production environment | Kibana Guide [7.11] | Elastic

Best regards
Wolfram

thanks for your answers !

maybe it is possible to redirect to another URL endpoint

my-kibana-url.com/login was the solution for administration to authenticate via basic authentication while for my-kibana-url.com another authentication method is configured.

this is interesting. we will test it ! :slight_smile:

this is also a good idea. maybe this can be our workaround.