We're looking at purchasing Shield, and I'm trying to evaluate whether it meets our security requirements.
Basically, every machine has a user certificate held in the Windows store. I'd like to be able to use that certificate so that users (both via Kibana and our own ES-integrated apps) can prove their identity securely, but permission those user accounts using group membership within Active Directory.
The aim is to do this without having to use passwords anywhere (entering them, or having to store them in files).
Our certificates contain the AD name (DN) in the Subject, so in theory we have all the information we need to then check that those users have membership of the required AD groups.
Is this possible? Will we have to create our own custom realm to do this? Presumably if it's the latter, we could leverage the PKI and AD realm functionality?
Thanks for any information.