Validate SAML token in Kibana

mdconner · May 22, 2015, 4:44pm

Does Kibana support SAML tokens? If not, any assistance with getting this to done (Apache HTTP Server, or other)?

warkolm · May 24, 2015, 2:12am

It currently doesn't support this.

owulff · June 3, 2015, 6:11am

We are also looking into a solution and are considering to Proxy Kibana with Tomcat and the SAML/WS-Federation Plugin Fediz (subproject of Apache CXF). The challenge is the security support in ES itself because it only supports Username/Password and then retrieve the roles from LDAP or file. It would be nice to have an interface where you can provide the roles from any kind of source (SAML Token, HTTP Header). Or is such kind of interface already available?

warkolm · June 3, 2015, 12:04pm

This is not available either sorry!
We are working on extending the functionality to cater for these sorts of uses

mdconner · June 5, 2015, 12:17pm

If looking for suggestions, allowing JAAS (Java Authentication & Authorization Service) plugins would be ideal so we could customize for our environment.

Thanks for the feedback.

martin_goldstone · June 14, 2015, 7:01am

I'm about to go through this as well, my plan is to use Apache httpd as a reverse proxy in front of Kibana, and use mod_shib in httpd for the authentication.

slee · June 23, 2015, 5:41pm

Hi Martin,
I was wondering how your progress was going on this? We want to do something similar, using CA Siteminder with Apache Reverse Proxy. We have it configured up to the point where you specify the index, at which point because of the URLs that Kibana uses, it constantly craps out.

rafrey · November 19, 2015, 6:04pm

Update: One of your competitors has released native SAML v2.0 SSO/SLO support via the following IdP (which is also capable of many other authentication methods being discussed here):

For most use cases, using an authentication proxy does no good if you still need to make an LDAP endpoint available for authorization.

I see this as a barrier to adoption at large organizations that require SAML auth for production systems hosted in public clouds and I am hoping that in consideration of that and the recent adoption of this functionality by competing solutions will allow for this to receive a higher priority within the Elasticsearch project and that you will share this information with your project managers.

I also believe that this needs to be implemented in Sheild per:

Can you please provide us with a status update on this work? An ETA would be excellent.

Thank you.

-- Rob Frey

warkolm · November 20, 2015, 5:43am

FYI there is now https://www.elastic.co/guide/en/shield/current/custom-realms.html in the latest release of Shield.

Johntdyer · February 20, 2017, 1:41pm

Are there any plans to support SAML as a first class citizen in xpack ? Seems like I should have to write my own for this... FWIW this is a first class feature in your competitors products

warkolm · February 20, 2017, 8:24pm

Yes this is something we are working on now.