Login to Kibana instance with automatic user generation based on Proxy Header

Elastic Stack Kibana
1

I am looking for a method to login to my organizations Kibana using a Request Header rather than actually authenticating. My organization uses Cloudflare Access, which provides the header Cf-Access-Authenticated-User-Email to our Elastic installation which is provided when an employee has successfully authenticated with our identity provider.

I've seen a few related threads to this, but would like to know if there is a way to enable this behavior without having to write a custom plugin. For example, the Elastic docs provide a method for specifying a custom http scheme, but don't seem to give a method for doing much with it.

So my question is, how can we extract this header for authentication, and create a user and put them into some type of default role?

Any ideas would be much appreciated, thank you.

2

Hi Ryan. I don't think it is possible to create a Kibana session using only a request header. Is it your goal to bypass the Kibana login screen? If so, you have a couple of options...

I found this post: Login kibana without UI (using token)
Which describes two options:

  1. Use a Single sign-on (SSO) solution
  2. Set up a reverse proxy in front of Kibana to handle authentication. An example: Auto-authenticating to iframe-embedded Kibana dashboard

Is this helpful, or are you ultimately trying to accomplish something else?