SSO for Embedding Dashboards


(Bobby Richmond) #1

I've been experimenting with embedding Kibana dashboards into our own applications and have run into a few issues. I will preface this by saying we are attempting to make use of the Elastic Cloud (on GCP, if it matters). The original idea was to maintain our current login system and for users to have access to different data in their dashboards based on that. However, just embedding an iframe requires authentication to Kibana, which is fair. Even if we just linked to our Kibana url, clients would still need to login once again, however. We would really like some type of SSO into Kibana (with some role mappings so that we can restrict access to certain data).

After digging around, it seems like support for various authentication methods exist and even a recent SAML method that seems almost perfect. However, when I was trying to investigate how we would implement this on our side, I came across this in the Elastic Cloud documentation: "Only the esusers realm is available. We currently do not support realms such as LDAP, Active Directory, SAML or Shield custom realms."

Are there any plans for adding this support in the future? If not, are there any ways to get our desired behavior (Single login, data being restricted by login) through any other methods? Ideally with the ability to embed Kibana dashboard into other applications and not just by redirecting. An anonymous user is a no-go as we do not want any of the data available publicly.

Thanks


(Brandon Kobel) #2

Hey @brichmond, we're actively working on adding SAML support for Elasticsearch and Kibana hosted on Elastic Cloud, unfortunately, I'm not aware of any workarounds until this is complete.

The ability to allow anonymous access in Kibana is also on our roadmap, and we're tracking it here. If you'd like to give that issue a +1 or comment with your use-case, it'll help us prioritize it appropriately. Until this is implement, you can use a reverse proxy (nginx, apache, haproxy) to always supply basic authentication headers, so that anyone who can access the reverse proxy will automatically be logged in, you can then embed Kibana in your applications via an iframe.


(Bobby Richmond) #3

Hey Brandon, thanks for the reply.

Is there an area where I can follow SAML support for Elastic Cloud?

I don't think anonymous access is actually the solution to my use-case, I mentioned it because I was under the impression that it worked. I do need the specific roles to limit data retrieval.

Is a reverse proxy a reasonable approach to solve this issue? Keep in mind that I still need different authentication headers based on the logged in user. For example, one user logging in should still be tied to a role where they only see data using the role X whereas another may see data from role Y. Or maybe they just don't have access at all.

Thanks


(Brandon Kobel) #4

Is there an area where I can follow SAML support for Elastic Cloud?

To keep up with the changes in each release, you can follow the release notes for Cloud here. With regard to the planned work, that's not being made public at this time.

Is a reverse proxy a reasonable approach to solve this issue? Keep in mind that I still need different authentication headers based on the logged in user. For example, one user logging in should still be tied to a role where they only see data using the role X whereas another may see data from role Y. Or maybe they just don't have access at all.

If you'd like for all users to have to login, you wouldn't want to hard-code the Basic auth headers in a reverse proxy, as this would make all users who access Kibana via the reverse proxy essentially automatically logged in as the same user.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.