XPACK Custom Realm with SSO integration

jvemugunta · November 17, 2017, 6:53pm

We have SiteMinder at your company. After user logs through Siteminder, A SSO token called as JSON Web Token (JWT) is injected as "Authorization Bearer " and sent to the downstream application (Kibana). How to make it work so that user doesn't log into Kibana

What was done

Wrote a JWT enabled custom Realm
The JWT custom realm works like a champ

curl -H 'Authorization:Bearer eyJraWQiOiJwdWJsaWNfa2V5LnBlbSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJqdmVtdWd1bnRhIiwicm9sZXMiOiJraWJhbmFfdXNlcixzaGFrZXNwZWFyZV9iYW5rX3JlYWQiLCJleHAiOjE1MTA5NzEzMzYsImlhdCI6MTUxMDkzNTMzN30.TY3gCPei1WavQUqo4tAc9bGMjFvjzeJWCeq7jxyV2gjaRyPrbpKeakn9jm11N6UngSHIE3PWqAgCwDOhgco887QUL3uXcOWzkFkvN0mAKYHaS0_3-Sq30JLyXX8Nw7TSr7izNG2_6pEGrWE5_oelYktP1fUst9FvxmoB1eZrJpTIIVAChnJNz7kEH7pXk7rEo_fiNSi5mQyqgFNDwPBph-udJvXl5BoGs4ZBOvrwEUC9mlN8bUgcVpu12NJZCwkCAZEpLnMqNcOe4iKF0tiMyYDdv8Lq_6u3I3a66xq1k0K1s68Bn9tNswsripIEQx__yjkNp8Y15whScHHrL86mNn7Xkc17jZBlUpoZe4m-hIiaRagVWk-Y94OsziGQUOcT_fdOhOkF__yTa7JzGUpTKs0dpI2ASWZi2LEzV1LblUVpm7d2IKm2uQovC8LSV0ZFczXbJxLueAdt6Ap22lJWVsg1AjctgvO2juXyfxM_AcVLpJSFkNGeJxfr6Hr2sV7gnNZH4M6hPKaOeFqVN5ofwM9ng5WNpLAnvqYiyfrO6WO1p_cGbH8lBaOR3i1WLSi9uTZEAbgzaL9HB_Cp7UVMZyoGDIqqmLE5lcwT3b-Cfd-kQs4GWgqLpqrL9_Iaw02el9JWFA7gFq7PehseowKVsicZa4Nrw85e1gMQAsyn3l4' 'localhost:9200/bank/account/1?pretty'
jvemugunta:Downloads jvemugunta$ curl -H 'JWT_Authorization:Bearer eyJraWQiOiJwdWJsaWNfa2V5LnBlbSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJqdmVtdWd1bnRhIiwicm9sZXMiOiJraWJhbmFfdXNlcixzaGFrZXNwZWFyZV9iYW5rX3JlYWQiLCJleHAiOjE1MTA5NzEzMzYsImlhdCI6MTUxMDkzNTMzN30.TY3gCPei1WavQUqo4tAc9bGMjFvjzeJWCeq7jxyV2gjaRyPrbpKeakn9jm11N6UngSHIE3PWqAgCwDOhgco887QUL3uXcOWzkFkvN0mAKYHaS0_3-Sq30JLyXX8Nw7TSr7izNG2_6pEGrWE5_oelYktP1fUst9FvxmoB1eZrJpTIIVAChnJNz7kEH7pXk7rEo_fiNSi5mQyqgFNDwPBph-udJvXl5BoGs4ZBOvrwEUC9mlN8bUgcVpu12NJZCwkCAZEpLnMqNcOe4iKF0tiMyYDdv8Lq_6u3I3a66xq1k0K1s68Bn9tNswsripIEQx__yjkNp8Y15whScHHrL86mNn7Xkc17jZBlUpoZe4m-hIiaRagVWk-Y94OsziGQUOcT_fdOhOkF__yTa7JzGUpTKs0dpI2ASWZi2LEzV1LblUVpm7d2IKm2uQovC8LSV0ZFczXbJxLueAdt6Ap22lJWVsg1AjctgvO2juXyfxM_AcVLpJSFkNGeJxfr6Hr2sV7gnNZH4M6hPKaOeFqVN5ofwM9ng5WNpLAnvqYiyfrO6WO1p_cGbH8lBaOR3i1WLSi9uTZEAbgzaL9HB_Cp7UVMZyoGDIqqmLE5lcwT3b-Cfd-kQs4GWgqLpqrL9_Iaw02el9JWFA7gFq7PehseowKVsicZa4Nrw85e1gMQAsyn3l4' 'localhost:9200/bank/account/1?pretty'
{
"_index" : "bank",
"_type" : "account",
"_id" : "1",
"_version" : 1,
"found" : true,
"_source" : {
"account_number" : 1,
"balance" : 39225,
"firstname" : "Amber",
"lastname" : "Duke",
"age" : 32,
"gender" : "M",
"address" : "880 Holmes Lane",
"employer" : "Pyrami",
"email" : "amberduke@pyrami.com",
"city" : "Brogan",
"state" : "IL"
}
}

This means Elastic Search is protected by JWT realm
Now, how I can I make Kibana accept JWT Authorization Bearer token and bypass its security. Apprecaite any insights.

azasypkin · November 24, 2017, 12:26pm

Hi @jvemugunta,

At the moment Kibana X-Pack Security only recognizes Authorization: Basic xxxx as valid credentials even though Elasticsearch may support other authentication schemas.

The only option I can think of right now is to disable security in Kibana like described here: Disable login in Kibana 5.3 or Login in Kibana using Custom Realm installed in Elasticsearch. This way security will still be enforced by your realm at Elasticsearch, but you won't see Login screen in Kibana.

P.S. We're actively working on improving that situation in Kibana, stay tuned!

Let me know if you still have questions.

Thanks,
Oleg

system · December 22, 2017, 12:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.