Shield and Azure AD?

security

(Brad Leach) #1

Does anyone know if it is possible to use Azure AD with Shield?

I'd love to have it set up so that you could manage users in Azure AD and secure Kibana via Shield.


(Steve Kearns) #2

We don't currently support Azure AD - it uses a different API than regular AD or LDAP. It is something that we are considering on our longer term roadmap, but isn't planned for our next release.

If Azure AD adds an LDAP interface, it should be easy to support it with the existing Shield realms.

In the mean time, would it be possible to use the native esusers authentication realm to protect ES and Kibana?


(Brad Leach) #3

Thanks for the info! Native esusers will be fine for now. :slight_smile:


(Andreas V) #4

Shouldn't it be possible to customize this by implementing your own realm that authenticates against Azure API's?

https://www.elastic.co/guide/en/shield/current/custom-realms.html


(Steve Kearns) #5

Yes, absolutely! You could definitely build a custom realm that connects to the Azure AD APIs.

In addition to the docs you link to, we also have an example realm that we provide for reference:

and there are various community-created realms (we don't support these as we didn't build them, but they do serve as useful examples) , like this one:


(Aliostad) #6

Hi,

Are there any plans to add this support? Also would you accept PR or you would prefer these to be independent community projects?

Thanks
Ali


(Steve Kearns) #7

Hi Brad,

We have a number of other realms (think SAML, Kerberos) that are more widely deployed at our customers. However, that said, we encourage you to build a custom realm and open source it. We maintain an open source example realm, which should serve as a good example to get you started.

There is also a Kerberos realm that was produced by one of our partners - we don't build or support it, but it's a good example of a complex Shield realm in oss.

Thanks,
Steve


(Aliostad) #8

Thanks.

But Azure AD works with OAuth2/OpenID Connect... is this supported in Elasticsearch?
This would obviously trigger a redirect to the login page instead of accepting username/password.


(system) #9