Kibana realm-specific login URL (or another way to pre-select the realm)?


I am trying to define several authc providers/realms in Elastic + Kibana but I do not want my clients to select a realm. Instead, I would like to drive them to a particular one that corresponds to them. Is there a way to generate a realm-specific login URL that I could include in my web app configuration?

Why do you need this?
Your realms will be checked in the order you configured them.
So if users fail to authenticate in realm-1, they will be checked against realm-2 and so on.
If you have many realms configured, this might take some time and the UX will be decreased.

My users cannot be "checked". I use multiple OpenID Connect providers so there can be no "checking" of any kind. The realm/provider needs to be selected. There may be dozens of them. When my web app redirects to Kibana, it knows which realm the user belongs to.

So far I only found an internal API (/internal/security/login) which takes a small JSON structure with the name of the desired provider and returns the location (authorization URL) for it with appropriate state/nonce values. And it needs kbn-xsrf header. I am wondering if there is more "public" option or this is the best one?

You might be able to use Third Party initiated login for this.

Hi @TimV

The OIDC spec says "In this case, the initiator redirects to the RP at its login initiation endpoint, which requests that the RP send an Authentication Request to a specified OP". Given that Elasticsearch is the RP in this scenario, what is the "login initiation endpoint" that "can be a deep link at the RP, rather than a default landing page"? I cannot find it anywhere in the documentation. Elastic Stack does not implement the dynamic client registration (which it does not need anyway) so there is no such login endpoint provided. What am I missing?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.