Shield with SSO

How to integrate shield with SSO (Oracle Access Manager or CA Siteminder)?
If Kibana4 is front ended with apache or nginx and the URL is protected by the access manager, does Shield has capability to take user from SSO headers and do the role based authorization with AD or LDAP? Basically Authentication using Access Manager and Authorization using Shield.

Hi Tommy,

Shield can be integrated with SSO solutions through the use of a custom realm. My understanding is that Kibana 4 forwards all headers when making a request. The custom realm would need to understand the headers that contain the user information and do some validation on the request for security purposes.

For the authorization aspect, you are free to implement that however you would like in a custom realm, so an active directory/LDAP lookup is possible.


Thanks Jay.
Just trying to understand the flow here. So SSO Authenticates the user (Kibana URL protected by SSO), after successful authentication the custom shield plugin reads the user from SSO header (no password), takes the user extracted from the header to do user lookup in LDAP/AD (binds to LDAP/AD using a configured user), if user is found maps the user with shield user and extract the roles from elasticsearch.yml shown below:
type: custom
order: 0
roles: read
roles: admin

We do not need to store user password in this case?
Is the flow correct?


Hey Tommy,

I think you've got the idea. The custom realm example is just an example that makes use of the Elasticsearch.yml file. There is no requirement to store user information in that file. With a custom realm, you have a lot of freedom on how to do the authentication.


Correct. This is really two parts in the custom realm. The first part is the token extraction from a request, which would be performed inside the token method that takes a RestRequest argument. You will probably want to implement your own class that implements the interface org.elasticsearch.shield.authc.AuthenticationToken rather than the UsernamePasswordToken since you will not be passing in a password.

The second part is the authentication of the token, which returns a user object. Here you will probably want to do some validation unless you can guarantee that the header cannot be forged by an attacker (ie Elasticsearch is firewalled off or proxied). Assuming the token is valid, you would do the lookup of the groups from LDAP/AD in this method. Based on what is returned, you can map the AD groups to shield roles. Then create a user object with the correct username and roles.

I hope that helps to clarify the flow.