XPACK Custom Realm with SSO integration

We have SiteMinder at your company. After user logs through Siteminder, A SSO token called as JSON Web Token (JWT) is injected as "Authorization Bearer " and sent to the downstream application (Kibana). How to make it work so that user doesn't log into Kibana

What was done

1. Wrote a JWT enabled custom Realm
2. The JWT custom realm works like a champ

curl -H 'Authorization:Bearer eyJraWQiOiJwdWJsaWNfa2V5LnBlbSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJqdmVtdWd1bnRhIiwicm9sZXMiOiJraWJhbmFfdXNlcixzaGFrZXNwZWFyZV9iYW5rX3JlYWQiLCJleHAiOjE1MTA5NzEzMzYsImlhdCI6MTUxMDkzNTMzN30.TY3gCPei1WavQUqo4tAc9bGMjFvjzeJWCeq7jxyV2gjaRyPrbpKeakn9jm11N6UngSHIE3PWqAgCwDOhgco887QUL3uXcOWzkFkvN0mAKYHaS0_3-Sq30JLyXX8Nw7TSr7izNG2_6pEGrWE5_oelYktP1fUst9FvxmoB1eZrJpTIIVAChnJNz7kEH7pXk7rEo_fiNSi5mQyqgFNDwPBph-udJvXl5BoGs4ZBOvrwEUC9mlN8bUgcVpu12NJZCwkCAZEpLnMqNcOe4iKF0tiMyYDdv8Lq_6u3I3a66xq1k0K1s68Bn9tNswsripIEQx__yjkNp8Y15whScHHrL86mNn7Xkc17jZBlUpoZe4m-hIiaRagVWk-Y94OsziGQUOcT_fdOhOkF__yTa7JzGUpTKs0dpI2ASWZi2LEzV1LblUVpm7d2IKm2uQovC8LSV0ZFczXbJxLueAdt6Ap22lJWVsg1AjctgvO2juXyfxM_AcVLpJSFkNGeJxfr6Hr2sV7gnNZH4M6hPKaOeFqVN5ofwM9ng5WNpLAnvqYiyfrO6WO1p_cGbH8lBaOR3i1WLSi9uTZEAbgzaL9HB_Cp7UVMZyoGDIqqmLE5lcwT3b-Cfd-kQs4GWgqLpqrL9_Iaw02el9JWFA7gFq7PehseowKVsicZa4Nrw85e1gMQAsyn3l4' 'localhost:9200/bank/account/1?pretty'
jvemugunta:Downloads jvemugunta$ curl -H 'JWT_Authorization:Bearer eyJraWQiOiJwdWJsaWNfa2V5LnBlbSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJqdmVtdWd1bnRhIiwicm9sZXMiOiJraWJhbmFfdXNlcixzaGFrZXNwZWFyZV9iYW5rX3JlYWQiLCJleHAiOjE1MTA5NzEzMzYsImlhdCI6MTUxMDkzNTMzN30.TY3gCPei1WavQUqo4tAc9bGMjFvjzeJWCeq7jxyV2gjaRyPrbpKeakn9jm11N6UngSHIE3PWqAgCwDOhgco887QUL3uXcOWzkFkvN0mAKYHaS0_3-Sq30JLyXX8Nw7TSr7izNG2_6pEGrWE5_oelYktP1fUst9FvxmoB1eZrJpTIIVAChnJNz7kEH7pXk7rEo_fiNSi5mQyqgFNDwPBph-udJvXl5BoGs4ZBOvrwEUC9mlN8bUgcVpu12NJZCwkCAZEpLnMqNcOe4iKF0tiMyYDdv8Lq_6u3I3a66xq1k0K1s68Bn9tNswsripIEQx__yjkNp8Y15whScHHrL86mNn7Xkc17jZBlUpoZe4m-hIiaRagVWk-Y94OsziGQUOcT_fdOhOkF__yTa7JzGUpTKs0dpI2ASWZi2LEzV1LblUVpm7d2IKm2uQovC8LSV0ZFczXbJxLueAdt6Ap22lJWVsg1AjctgvO2juXyfxM_AcVLpJSFkNGeJxfr6Hr2sV7gnNZH4M6hPKaOeFqVN5ofwM9ng5WNpLAnvqYiyfrO6WO1p_cGbH8lBaOR3i1WLSi9uTZEAbgzaL9HB_Cp7UVMZyoGDIqqmLE5lcwT3b-Cfd-kQs4GWgqLpqrL9_Iaw02el9JWFA7gFq7PehseowKVsicZa4Nrw85e1gMQAsyn3l4' 'localhost:9200/bank/account/1?pretty'
{
"_index" : "bank",
"_type" : "account",
"_id" : "1",
"_version" : 1,
"found" : true,
"_source" : {
"account_number" : 1,
"balance" : 39225,
"firstname" : "Amber",
"lastname" : "Duke",
"age" : 32,
"gender" : "M",
"address" : "880 Holmes Lane",
"employer" : "Pyrami",
"email" : "amberduke@pyrami.com",
"city" : "Brogan",
"state" : "IL"
}
}

3. This means Elastic Search is protected by JWT realm

4. Now, how I can I make Kibana accept JWT Authorization Bearer token and bypass its security. Apprecaite any insights.

Hi @jvemugunta,

At the moment Kibana X-Pack Security only recognizes Authorization: Basic xxxx as valid credentials even though Elasticsearch may support other authentication schemas.

The only option I can think of right now is to disable security in Kibana like described here: Disable login in Kibana 5.3 or Login in Kibana using Custom Realm installed in Elasticsearch. This way security will still be enforced by your realm at Elasticsearch, but you won't see Login screen in Kibana.

P.S. We're actively working on improving that situation in Kibana, stay tuned!

Let me know if you still have questions.

Thanks,
Oleg

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.