I am trying to define several authc providers/realms in Elastic + Kibana but I do not want my clients to select a realm. Instead, I would like to drive them to a particular one that corresponds to them. Is there a way to generate a realm-specific login URL that I could include in my web app configuration?
Why do you need this?
Your realms will be checked in the order you configured them.
So if users fail to authenticate in realm-1, they will be checked against realm-2 and so on.
If you have many realms configured, this might take some time and the UX will be decreased.
My users cannot be "checked". I use multiple OpenID Connect providers so there can be no "checking" of any kind. The realm/provider needs to be selected. There may be dozens of them. When my web app redirects to Kibana, it knows which realm the user belongs to.
So far I only found an internal API (/internal/security/login) which takes a small JSON structure with the name of the desired provider and returns the location (authorization URL) for it with appropriate state/nonce values. And it needs kbn-xsrf header. I am wondering if there is more "public" option or this is the best one?
The OIDC spec says "In this case, the initiator redirects to the RP at its login initiation endpoint, which requests that the RP send an Authentication Request to a specified OP". Given that Elasticsearch is the RP in this scenario, what is the "login initiation endpoint" that "can be a deep link at the RP, rather than a default landing page"? I cannot find it anywhere in the documentation. Elastic Stack does not implement the dynamic client registration (which it does not need anyway) so there is no such login endpoint provided. What am I missing?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.