Kibana handle multiple authentication methods

treknado · February 25, 2021, 3:01am

Hello,

we have some questions about how to handle multiple authentication methods in Kibana. It would be great if we can learn from you and your solutions or your ideas.

at the moment we can offer three different authentication methods:

native
saml
oidc

there is an interesting UI selector where users can select which authentication method they want to use.

is it possible to use this UI selector only when the prefered (highest order setting) failed ?
or can we configure the UI selector behind a different endpoint ?

Also there is the "/login" option for using native authentication.

is it possible to configure more URL endpoints for our realms?
example: my-kibana-url.com/saml1

Or do you have other solutions how to handle our requirements ?

native authentication via /login for administrators --> check
oidc realm for all users (default setting)
saml as fallback if oidc is not working

best regards

Wolfram_Haussig · February 23, 2021, 1:07pm

Hi,

I think this is done by Kibana if you configure e.g. native and activeDirectory(password will be checked against native and then against AD). But native, saml and oidc are totally different so I guess that will not work.

I have not found the documentation link for it - only the reference for anonymous access here but you should be able to call Kibana like this: https://localhost:5601/app/monitoring?auth_provider_hint=saml1 which should try to use the Saml provider.

I think you should also be able to install two separate Kibana installations:

one has native authentication and has a very restricted firewall because only the admins should be able to access this
one has oidc and saml configured

Be aware that some settings have to be the same across all kibana instances: Use Kibana in a production environment | Kibana Guide [7.11] | Elastic

Best regards
Wolfram

treknado · February 23, 2021, 1:42pm

thanks for your answers !

maybe it is possible to redirect to another URL endpoint

my-kibana-url.com/login was the solution for administration to authenticate via basic authentication while for my-kibana-url.com another authentication method is configured.

this is interesting. we will test it !

this is also a good idea. maybe this can be our workaround.