Validate SAML token in Kibana


(Mike Conner) #1

Does Kibana support SAML tokens? If not, any assistance with getting this to done (Apache HTTP Server, or other)?


(Mark Walkom) #2

It currently doesn't support this.


(Owulff) #3

We are also looking into a solution and are considering to Proxy Kibana with Tomcat and the SAML/WS-Federation Plugin Fediz (subproject of Apache CXF). The challenge is the security support in ES itself because it only supports Username/Password and then retrieve the roles from LDAP or file. It would be nice to have an interface where you can provide the roles from any kind of source (SAML Token, HTTP Header). Or is such kind of interface already available?


SAML support, custom authentication plugins
(Mark Walkom) #4

This is not available either sorry!
We are working on extending the functionality to cater for these sorts of uses :slight_smile:


(Mike Conner) #5

If looking for suggestions, allowing JAAS (Java Authentication & Authorization Service) plugins would be ideal so we could customize for our environment.

Thanks for the feedback.


(Martin Goldstone) #6

I'm about to go through this as well, my plan is to use Apache httpd as a reverse proxy in front of Kibana, and use mod_shib in httpd for the authentication.


#7

Hi Martin,
I was wondering how your progress was going on this? We want to do something similar, using CA Siteminder with Apache Reverse Proxy. We have it configured up to the point where you specify the index, at which point because of the URLs that Kibana uses, it constantly craps out.


(Robert Frey) #8

Update: One of your competitors has released native SAML v2.0 SSO/SLO support via the following IdP (which is also capable of many other authentication methods being discussed here):

https://www.pingidentity.com/en/products/pingfederate.html

For most use cases, using an authentication proxy does no good if you still need to make an LDAP endpoint available for authorization.

I see this as a barrier to adoption at large organizations that require SAML auth for production systems hosted in public clouds and I am hoping that in consideration of that and the recent adoption of this functionality by competing solutions will allow for this to receive a higher priority within the Elasticsearch project and that you will share this information with your project managers.

I also believe that this needs to be implemented in Sheild per:

Can you please provide us with a status update on this work? An ETA would be excellent.

Thank you.

-- Rob Frey


(Mark Walkom) #9

FYI there is now https://www.elastic.co/guide/en/shield/current/custom-realms.html in the latest release of Shield.


(John Dyer) #10

Are there any plans to support SAML as a first class citizen in xpack ? Seems like I should have to write my own for this... FWIW this is a first class feature in your competitors products


(Mark Walkom) #11

Yes this is something we are working on now.


(system) #12