SAML & Kibana

I was curious to understand...When using saml, do you have to create the users locally? Or does the saml mechanism fetch the users based on credentials? I inherited a system in which saml is used but it has all the users created locally and I wondered - what's the point? Thank you.

They should be pulled from SAML as needed.
That does seem odd, are the users in the native realm?

Thank you warkolm...
I think they are cause there is a realm 0 and a realm 1.

I apologize for the stupid question but never having used saml - Where does saml normally pull its authentication information from? AD or ldap or some other application?

In any event, I didnt imagine it would need local user accounts to be present - kinda seemed to defeat the purpose.

That would depend on the auth source that is defined, so could be any of them.

You should keep some admin ones as backups.

You can do either.
By default Elasticsearch doesn't expect local accounts for SAML users, but you can configure it to do so (you need to check the elasticsearch.yml, and see if the SAML realm defines any authorization_realms).

Typically, for SAML you just store everything in your identity provider, and it passes the necessary information to Elasticsearch when users login.

However, there are two cases where you might want to provide local users:

  1. You expect those users to also have direct access to the ES API. SAML is a Web browser/UI thing (*), so it doesn't work if you don't have a web browser. If you want to authenticate to Elasticsearch via Curl, or Python, or ... then you need to use a different authentication source (either a different realm, like the local native users, or API keys created for your SAML users).
  2. Your SAML identity provider doesn't store the relevant group information (or can't provide it to ES). In that case, you may wish to manage your users in Elasticsearch, but just rely on SAML for the authentication/SSO part.

(*) There's a little bit of hand waving there, "SAML" is actually many different things, but the bit more people think of as "SAML" and the bit that is used with Elasticsearch is a browser based single sign on protocol.


Wow, Thanks TimV. That's very interesting and not clearly something I would have found so well defined in the Elastic docs but makes a lot more sense. Also thank you warkolm.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.