SAML support, custom authentication plugins

security

(Owulff) #1

This question has been raised in the Kibana community already:

IMHO, it affects ElasticSearch and Shield as well.

Does Shield provide an interface where I can handle the authentication process (validate SAML token) and then provide Shield the roles the user has by parsing the attributes in the SAML token.


Validate SAML token in Kibana
(Mark Walkom) #2

Currently, no. This type of functionality is something we are working on though.


(Owulff) #3

Thanks for the feedback. Can you shed some light on it which industry standards you plan to follow? Do you also have a rough timeline like Q3, Q4, next year?


(Mark Walkom) #4

I'll ask the product management team to provide a bit more information :slight_smile:


(Steve Kearns) #5

These are great questions! We have plans to add support for a number of new auth realms. In the very near future, we are planning to add a PKI-based realm that will make application-level authentication using certificates much easier.
In the longer term - think within this calendar year - we are planning to add additional realms and also allow the realms system to be extended. With the extensibility, it would be straightforward to create your own custom realm for your SAML-based SSO system.


(Owulff) #6

Thanks for the update. If you need more details or any other kind of input let me know :slight_smile:


(Robert Frey) #7

Given the widespread adoption of SAML authentication/authorization in public clouds it may be prudent to include an example implementation of SAML via a custom auth realm using any SAML IdP as a point of reference to provide your customers with a working example which can be modified (if necessary) to work with their own IdP's. One of your competitors recently released native SAML v2.0 SSO/SLO support using the following IdP:

https://www.pingidentity.com/en/products/pingfederate.html

There are many organizations that required this type of functionality from production systems hosted in public clouds which could be a barrier to adoption for your project.

I also agree that this needs to be implemented in Shield, simply implementing in Kibana is a half baked solution that isn't going to satisfy security requirements at many organizations.

It doesn't do any good to use SAML for SSO/SLO if you still have to make an LDAP endpoint available for authorization so using authentication proxies for this doesn't really solve the problem at hand.

Any updates on the current status of this work?

-- Rob Frey


(Micah Figone) #8

We would love to have SAML support natively in shield. Through our idp (OneLogin) we provide 2fa as well as a bunch of other ip related restrictions so it would be nice if we could apply these same practices with kibana.


(Antek S. Baranski) #9

Any update on SAML in Shield? Or is this still a custom realm for which you charge an arm and a leg? :frowning:


(John Dyer) #10

Any update guys ?


(Marcel Matus) #11

Any update? I can't believe you work on such a small feature longer than 2 years...
This would really help us a lot!


(Blomart Cédric) #12

SAML can also be implemented by a third party proxy, thus lowering the need for the application to undestand SAML.

Shibboleth and auth_melon are common examples.

They basicaly allow to provide a service provider with user information in the http header or execution environement.


#13

+1 for this idea. We're going to develop our own SAML proxy for ES... waste of time, would buy it in a second.


(Alex) #14

+1 :slight_smile: Any progress on this? It is really required for pretty much all large enterprise companies


(Josh Bressers) #15

Hi there,

I'm the product manager focusing on x-pack security. We have working happening to support SAML right now. When exactly it will land isn't known yet (there's still a lot of work to do), but it should be supported in the near future. This is literally my #1 feature.

Feel free to let me know if you have any questions.

Thanks.


(Alex) #16

Apologies for being picky, but this is a major hurdle for the company I work for to adopt X-Pack. Do you think it will be available this year? knowing roughly when it could land would enable me to work around it and inform my stakeholders. If you could give a ball park period of half 2 this year, half 1 next year, end of next year etc I am sure many other enterprise companies would be content.


(Josh Bressers) #17

I can't give a great answer unfortunately, there are many moving parts to support this across the stack. The earliest we could maybe see a beta would be end of this calendar year. Feel free to message me near the end of summer, I may have a more concrete timeline by then.


(Alex) #18

That is good enough :slight_smile: I appreciate that it is difficult to give dates in such situations. I shall message towards the end of summer. Many thanks!


#19

Do we have an update? is the ETA in 6.0.0? I am another one of the 1000s that have this as a blocker to adoption of elastic.


#20

+1
please any update on this ?