I did download ELK stack tarballs, installed, configured. All is working fine.
But when I started enabling SSO (via parameter xpack.security.authc.realms.oidc.oidc1 in config file), it says that this is not possible without subscription.
My questions:
Is license required to enable SSO?
If license is purchased, what do I get (maybe some license code that I can input somewhere in the config file)?
Is it still possible to use these tarballs with subscription without moving to Elastic cloud?
Yes, to be able to use SSO you need at least a Platinum License, the only authentication method included in the free and basic license is the native realm.
The license for self-hosted environments is a JSON file that you can update using the license API endpoint, you do not need to use elastic cloud, you can purchase a license for an on-premises/self-hosted cluster.
You can know more abou the features included in each license tier on the subscription page.
I just signed for trial subscription. And I don't see any JSON file with license key to just test if it works.
How to test what I wanted in a trial period?
To start a trial on a self-managed installation you need to make a request using the license API.
POST /_license/start_trial
This will change your license from basic to the trial one, it will give all features for 30 days.
You only get a file with a license if you buy one from Elasticsearch and have a self-manages installation, you do not get this if you start the trial using the above request or runs it in the elastic cloud, as a license is already included (but not the platinum one).
No, if you do not use Elastic Cloud, you need to buy a license for your self-managed cluster, for that you need to get in touch with elastic, only they can give you an estimated of the price.
If you used POST /_license/start_trial in your self-managed cluster, you activated the trial license, this will work for 30 days, after that time it will stop working and you will need to revert to the basic license.
Okay, I now see some errors. What's the expectation here? Do I need to create a user kibana_system in my IdP?
Also I expect the UI to use my logged-in user and should direct to the Kibana UI home page if the user exists and has a role as defined in my IdP and Elasticsearch.
The Kibana UI now goes to login page.
[2021-12-09T13:51:29,780][ERROR][o.e.x.s.a.e.ReservedRealm] [esmaster1] failed to retrieve password hash for reserved user [kibana_system]
org.elasticsearch.action.UnavailableShardsException: at least one primary shard for the index [.security-7] is unavailable
at org.elasticsearch.xpack.security.support.SecurityIndexManager.getUnavailableReason(SecurityIndexManager.java:148) ~[x-pack-security-7.14.0.jar:7.14.0]
at org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.getReservedUserInfo(NativeUsersStore.java:492) [x-pack-security-7.14.0.jar:7.14.0]
at org.elasticsearch.xpack.security.authc.esnative.ReservedRealm.getUserInfo(ReservedRealm.java:220) [x-pack-security-7.14.0.jar:7.14.0]
at org.elasticsearch.xpack.security.authc.esnative.ReservedRealm.doAuthenticate(ReservedRealm.java:96) [x-pack-security-7.14.0.jar:7.14.0]
at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.authenticateWithCache(CachingUsernamePasswordRealm.java:188) [x-pack-security-7.14.0.jar:7.14.0]
[2021-12-09T13:51:29,792][INFO ][o.e.x.s.a.AuthenticationService] [esmaster1] Authentication of [kibana_system] was terminated by realm [reserved] - failed to authenticate user [kibana_system]
POST /_cat/shards/.security-7?v
index shard prirep state docs store ip node
.security-7 0 p STARTED 72 172.1kb 10.45.11.47 esdata1
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.