SAML & Kibana

teej · November 5, 2020, 11:04pm

Hi,
I was curious to understand...When using saml, do you have to create the users locally? Or does the saml mechanism fetch the users based on credentials? I inherited a system in which saml is used but it has all the users created locally and I wondered - what's the point? Thank you.

warkolm · November 5, 2020, 11:35pm

They should be pulled from SAML as needed.
That does seem odd, are the users in the native realm?

teej · November 6, 2020, 12:54am

Thank you warkolm...
I think they are cause there is a realm 0 and a realm 1.

I apologize for the stupid question but never having used saml - Where does saml normally pull its authentication information from? AD or ldap or some other application?

In any event, I didnt imagine it would need local user accounts to be present - kinda seemed to defeat the purpose.

warkolm · November 6, 2020, 1:05am

That would depend on the auth source that is defined, so could be any of them.

warkolm · November 6, 2020, 1:06am

You should keep some admin ones as backups.

TimV · November 6, 2020, 4:27am

You can do either.
By default Elasticsearch doesn't expect local accounts for SAML users, but you can configure it to do so (you need to check the elasticsearch.yml, and see if the SAML realm defines any authorization_realms).

Typically, for SAML you just store everything in your identity provider, and it passes the necessary information to Elasticsearch when users login.

However, there are two cases where you might want to provide local users:

You expect those users to also have direct access to the ES API. SAML is a Web browser/UI thing (*), so it doesn't work if you don't have a web browser. If you want to authenticate to Elasticsearch via Curl, or Python, or ... then you need to use a different authentication source (either a different realm, like the local native users, or API keys created for your SAML users).
Your SAML identity provider doesn't store the relevant group information (or can't provide it to ES). In that case, you may wish to manage your users in Elasticsearch, but just rely on SAML for the authentication/SSO part.

Notes
(*) There's a little bit of hand waving there, "SAML" is actually many different things, but the bit more people think of as "SAML" and the bit that is used with Elasticsearch is a browser based single sign on protocol.

teej · November 6, 2020, 4:39pm

Wow, Thanks TimV. That's very interesting and not clearly something I would have found so well defined in the Elastic docs but makes a lot more sense. Also thank you warkolm.

system · December 4, 2020, 4:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Basic Users when SAML Enabled Elasticsearch elastic-stack-security	6	421	June 25, 2019
How to use ldap realm for authorisation for SAML realm Elasticsearch elastic-stack-security	19	1429	July 11, 2019
Super user Role not working for SAML users Kibana	5	654	November 22, 2018
SAML support, custom authentication plugins Elasticsearch elastic-stack-security	21	6955	February 5, 2019
Authentication + Authorization for Elasticsearch without user creation in Elasticsearch Elasticsearch	3	787	October 2, 2017

SAML & Kibana

Related topics