SAML - Migrate to new IDP

heric · August 10, 2023, 9:39am

Hi All,

I have 5 nodes cluster of elasticsearch integrated to SAML IDP.
i want to migrate to new SAML IDP but i don't have working test environment to integrate to this new IDP.

Below scenario that i can think of, do you think this will be feasible ( mostly the part where i want to change the SAML configuration on one node only to test the integration ).

create local users and provide existing users with this temporary local users
offload 1 elasticsearch node ( because i didn't enable replica and restart of the live node will have impact to the service )
configure kibana elasticsearch host to this offloaded node
configure new SAML IDP in this node and test the integration
if it is working, rollout to the other nodes.

Thanks.

TimV · August 11, 2023, 7:42am

Doing it on one node will work fine.

However, you can have multiple SAML realms on a node, and configure Kibana to prompt users to pick which one to use.
If your old IdP is going to remain available during the migration, you should be able to add the new IdP, test it, and then remove the old one without needing to isolate a node.

heric · August 11, 2023, 2:29pm

Thank you Tim.

i am using elasticsearch 7.16.2 and kibana 7.13.2 , is that multiple saml realm supported and whether kibana will show the login selector by default or need to be configured

Topic		Replies	Views
SAML configuration in a Elasticsearch cluster Elasticsearch	3	496	November 8, 2018
Cluster SAML integration Elastic Cloud Enterprise (ECE)	4	674	June 24, 2019
Realm discovery with SAML integration Elasticsearch elastic-stack-security	7	819	August 8, 2019
X-pack - SAML issue - ELK 6.4 Elasticsearch elastic-stack-security	7	2432	November 21, 2018
Elastic Cloud SAML SSO in 'trial' environment Elasticsearch elastic-stack-security	15	1055	March 23, 2023

SAML - Migrate to new IDP

Related topics