SSO and Subscription

I did download ELK stack tarballs, installed, configured. All is working fine.
But when I started enabling SSO (via parameter xpack.security.authc.realms.oidc.oidc1 in config file), it says that this is not possible without subscription.
My questions:

  1. Is license required to enable SSO?
  2. If license is purchased, what do I get (maybe some license code that I can input somewhere in the config file)?
  3. Is it still possible to use these tarballs with subscription without moving to Elastic cloud?

Please help.

Yes, to be able to use SSO you need at least a Platinum License, the only authentication method included in the free and basic license is the native realm.

The license for self-hosted environments is a JSON file that you can update using the license API endpoint, you do not need to use elastic cloud, you can purchase a license for an on-premises/self-hosted cluster.

You can know more abou the features included in each license tier on the subscription page.

1 Like

Thanks for quick response.

I just signed for trial subscription. And I don't see any JSON file with license key to just test if it works.
How to test what I wanted in a trial period?

Signed where?

To start a trial on a self-managed installation you need to make a request using the license API.

POST /_license/start_trial

This will change your license from basic to the trial one, it will give all features for 30 days.

You only get a file with a license if you buy one from Elasticsearch and have a self-manages installation, you do not get this if you start the trial using the above request or runs it in the elastic cloud, as a license is already included (but not the platinum one).

1 Like

Thanks, it worked with that POST API call. Will explore further and come back with any questions.
Earlier I signed up at Elastic Cloud.

@leandrojmp
With this type of license activation, we don't have to use Elastic Cloud, but just pay flat $22 per month? Is that correct?

No, if you do not use Elastic Cloud, you need to buy a license for your self-managed cluster, for that you need to get in touch with elastic, only they can give you an estimated of the price.

If you used POST /_license/start_trial in your self-managed cluster, you activated the trial license, this will work for 30 days, after that time it will stop working and you will need to revert to the basic license.

Okay, I now see some errors. What's the expectation here? Do I need to create a user kibana_system in my IdP?
Also I expect the UI to use my logged-in user and should direct to the Kibana UI home page if the user exists and has a role as defined in my IdP and Elasticsearch.
The Kibana UI now goes to login page.

[2021-12-09T13:51:29,780][ERROR][o.e.x.s.a.e.ReservedRealm] [esmaster1] failed to retrieve password hash for reserved user [kibana_system]
org.elasticsearch.action.UnavailableShardsException: at least one primary shard for the index [.security-7] is unavailable
        at org.elasticsearch.xpack.security.support.SecurityIndexManager.getUnavailableReason(SecurityIndexManager.java:148) ~[x-pack-security-7.14.0.jar:7.14.0]
        at org.elasticsearch.xpack.security.authc.esnative.NativeUsersStore.getReservedUserInfo(NativeUsersStore.java:492) [x-pack-security-7.14.0.jar:7.14.0]
        at org.elasticsearch.xpack.security.authc.esnative.ReservedRealm.getUserInfo(ReservedRealm.java:220) [x-pack-security-7.14.0.jar:7.14.0]
        at org.elasticsearch.xpack.security.authc.esnative.ReservedRealm.doAuthenticate(ReservedRealm.java:96) [x-pack-security-7.14.0.jar:7.14.0]
        at org.elasticsearch.xpack.security.authc.support.CachingUsernamePasswordRealm.authenticateWithCache(CachingUsernamePasswordRealm.java:188) [x-pack-security-7.14.0.jar:7.14.0]

[2021-12-09T13:51:29,792][INFO ][o.e.x.s.a.AuthenticationService] [esmaster1] Authentication of [kibana_system] was terminated by realm [reserved] - failed to authenticate user [kibana_system]
POST /_cat/shards/.security-7?v
index       shard prirep state   docs   store ip          node
.security-7 0     p      STARTED   72 172.1kb 10.45.11.47 esdata1

xpack config settings:

xpack.security.authc.token.enabled: true
xpack.security.authc.realms.oidc.oidc1:
  order: 2
  rp.client_id: "xxx"
  rp.response_type: code
  rp.redirect_uri: "xxx"
  op.issuer: "xxx"
  op.authorization_endpoint: "xxx"
  op.token_endpoint: "xxx"
  op.jwkset_path: "xxx"
  op.userinfo_endpoint: "hxxx"
  op.endsession_endpoint: "xxx"
  rp.post_logout_redirect_uri: "xxx"
  claims.principal: sub
  claims.groups: ""

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.