Alibaba Cloud Elasticsearch allows you to implement Security Assertion Markup Language (SAML) single sign-on (SSO) to the Kibana console of an Elasticsearch cluster. This topic describes how to use Alibaba Cloud Identity as a Service (IDaaS) to implement SAML SSO to the Kibana console of an Alibaba Cloud Elasticsearch cluster. IDaaS serves as the identity provider (IdP), and Kibana serves as the service provider (SP).
Background information
In SAML, Kibana serves as the SP and allows you to configure SAML 2.0 SSO based on a web browser and configure SAML 2.0 single logout (SLO). This way, you can use an IdP that complies with SAML 2.0, such as IDaaS or Active Directory Federation Service (AD FS), to access Elasticsearch and Kibana. In this example, IDaaS is used as the IdP.
SSO:
SSO is an authentication solution that allows you to log on to multiple applications and websites with one-time identity authentication. After the logon, you can access all mutually trusted application systems.
SAML:
SAML is an XML-based open standard that implements SSO across realms. SAML transfers identity information between an IdP and an SP by using security tokens that contain assertions. SAML is a sound identity authentication protocol. It is widely used in public and private clouds.
IDaaS:
IDaaS is a centralized platform that provides management of identities, permissions, and applications for enterprises. IDaaS supports various services, such as Employee Identity and Access Management (EIAM) and Customer Identity and Access Management (CIAM).
Prerequisites
An Alibaba Cloud Elasticsearch cluster is created, and HTTPS is enabled for the cluster. In this example, an Alibaba Cloud Elasticsearch V7.10 cluster is used. The operations and configurations that are required to implement SSO for Elasticsearch clusters vary based on the version.
NoteFor information about how to create an Elasticsearch cluster, see Create an Alibaba Cloud Elasticsearch cluster.
For information about how to enable HTTPS for an Elasticsearch cluster, see Enable HTTPS.
An IDaaS EIAM instance is created.
NoteElasticsearch supports only HTTP-Redirect binding for SAML authentication requests and does not support other methods such as HTTP-POST binding. You need to only make sure that your computer can access the IdP and SP.
Procedure
Step 1: Configure the IDaaS SAML application
Log on to the IDaaS console.
Find the EIAM instance on the EIAM page and click the instance ID.
Add the SAML application.
In the left-side navigation pane of the Quick Start page, click Applications.
On the Applications page, click Add Application.
On the Add Application page, click the Standard Protocols tab.
In the SAML 2.0 card, click Add Application.
In the Name field, enter a name for the application. Then, click Add.
Click the Sign-In tab. The SSO subtab appears. On the SSO subtab, configure SSO settings for the application.
You must configure the parameters that are described in the following table. You can retain default values for other parameters. For more information about the parameters, see Parameters in IDaaS in the SAML 2.0 SSO Configuration topic.
Category
Parameter
Description
Basic settings
ACS URL
The Assertion Consumer Service (ACS) endpoint that receives authentication information from the IdP. The ACS endpoint supports only HTTP-POST binding for SAML applications. In most cases, you can configure this parameter based on the following instructions:
If your Elasticsearch cluster is deployed in the cloud-native control architecture, configure this parameter in the
${kibana-url}:443/api/security/saml /callback
format.If your Elasticsearch cluster is not deployed in the cloud-native control architecture, configure this parameter in the
${kibana-url}:5601/api/security/v1/saml
format.Note${kibana-url}
indicates the public URL of Kibana.
SP Entity ID
The URL of the SP. In this example, the SP is Kibana. You must configure this parameter in the
${kibana-url}:443
or${kibana-url}:5601
format.Note${kibana-url}
indicates the public URL of Kibana.Authorize
The authorization scope. If you set this parameter to Manually, you must perform authorization on the Authorize subtab of the Sign-In tab.
Advanced settings
NameIDFormat
Select 2.0 persistent from the drop-down list.
NoteYou can view the public URL and public port of Kibana on the Kibana Configuration page in the Elasticsearch console. For more information, see Configure a public or private IP address whitelist for Kibana.
In the Application Settings section, click Download next to the value of the IdP Metadata parameter.
The IDaaS SAML metadata is downloaded as a configuration file for subsequent use.
Step 2: Create a custom role and configure the SAML information in Elasticsearch
Log on to the Kibana console of the Elasticsearch cluster. For more information, see Log on to the Kibana console.
Create a custom role. For more information, see Use the RBAC mechanism provided by Elasticsearch X-Pack to implement access control.
Map the role to the SAML application.
You must replace
<admin_role>
with the name of the role created in the preceding step.PUT /_security/role_mapping/idaas-test { "roles": "<admin_role>" , "enabled": true, "rules": { "field": { "realm.name": "saml1" } } }
Add SAML information to the YML configuration files of Elasticsearch and Kibana.
NoteThe SAML information that you add to the YML configuration files must be consistent with the SAML information configured in Step 1: Configure the IDaaS SAML application.
YML configuration file of Elasticsearch
Elasticsearch cluster that is deployed in the cloud-native control architecture (port for Kibana: 443)
# YML configuration file of Elasticsearch xpack.security.authc.token.enabled: 'true' xpack.security.authc.realms.saml.saml1: order: 2 idp.metadata.path: saml/metadata.xml idp.entity_id: "https://l2cm8ccn.aliyunidaas.com/api/v2/app_mueycrtjtumouafhydzuq3zx3a/saml2/meta" sp.entity_id: "https://es-cn-pe33****-kibana.cn-zhangjiakou.elasticsearch.aliyuncs.com:443" sp.acs: "https://es-cn-pe33****-kibana.cn-zhangjiakou.elasticsearch.aliyuncs.com:443/api/security/saml/callback" attributes.principal: "nameid:persistent" attributes.groups: "roles"
Elasticsearch cluster that is not deployed in the cloud-native control architecture (port for Kibana: 5601)
# YML configuration file of Elasticsearch xpack.security.authc.token.enabled: 'true' xpack.security.authc.realms.saml.saml1: order: 2 idp.metadata.path: saml/metadata.xml idp.entity_id: "https://es-cn-n6xxxxxx1d.elasticsearch.aliyuncs.com/" sp.entity_id: "https://es-cn-n6xxxxxx1d.kibana.elasticsearch.aliyuncs.com:5601/" sp.acs: "https://es-cn-n6xxxxxx1d.kibana.elasticsearch.aliyuncs.com:5601/api/security/v1/saml" attributes.principal: "nameid:persistent" attributes.groups: "roles"
Parameter
Description
xpack.security.authc.token.enabled
Specifies whether to enable the Token service. You must set this parameter to true to configure SAML SSO. For more information about how to enable the Token service, see saml-enable-token.
xpack.security.authc.realms.saml.saml1
The identity authentication realm. In this example, set this parameter to saml1. For more information about realms, see Realms.
order
The priority of the realm. A small value indicates a high priority.
NoteFor Elasticsearch V8.X clusters, the value of this parameter must be unique among different requests. We recommend that you set this parameter to 2.
idp.metadata.path
The path of the metadata configuration file that you saved for the IdP.
idp.entity_id
The identifier of the IdP. The identifier must match the EntityID attribute in the metadata configuration file.
sp.entity_id
The unique identifier of Kibana. The value of this parameter must be the same as the value of the SP Entity ID parameter in the configuration of the SAML application. This parameter is required if you add Kibana as an SP of your IdP. We recommend that you set this parameter to the public URL of Kibana.
ImportantMake sure that the value of this parameter is consistent with the information of your business environment. If you use a reverse proxy instead of a URL to access Kibana, you must specify the endpoint and port number of the reverse proxy in this parameter.
sp.acs
The ACS endpoint that receives authentication information from the IdP. The value of this parameter must be the same as the value of the ACS URL parameter in the configuration of the SAML application. The ACS endpoint that receives authentication information from the IdP. The ACS endpoint supports only HTTP-POST binding for SAML applications. In most cases, you can configure this parameter based on the following instructions:
If your Elasticsearch cluster is deployed in the cloud-native control architecture, configure this parameter in the
${kibana-url}:443/api/security/saml/callback
format.If your Elasticsearch cluster is not deployed in the cloud-native control architecture, configure this parameter in the
${kibana-url}:5601/api/security/v1/saml
format.Note${kibana-url}
indicates the public URL of Kibana.
attributes.principal
The assertion information. For more information, see Attribute mapping.
attributes.groups
The assertion information. For more information, see Attribute mapping.
YML configuration file of Kibana
# YML configuration file of Kibana xpack.security.authc.providers: saml.saml1: order: 0 realm: "saml1" basic.basic1: order: 1 icon: "logoElasticsearch" hint: "Typically for administrators"
Parameter
Description
xpack.security.authc.providers
The provider of the SAML application. This parameter specifies that SAML SSO is used as the identity authentication method of Kibana.
xpack.security.authc.providers.saml.<provider-name>.realm
The SAML authentication realm. Replace <provider-name> with the realm that you specify in the YML configuration file of Elasticsearch. In this example, saml1 is used.
xpack.security.authc.providers.basic.basic1
After you configure SAML information in the YML configuration file of Kibana, only users who have passed SAML authentication can access Kibana. To log on to the Kibana console as a basic user, you can specify values for the configuration items in basic.basic1. If you test the logon to the Kibana console as a basic user, you may need to use the elastic username and its password to log on to the Elasticsearch cluster, create a role, and then map the role to the SAML application. After you specify values for the configuration items in basic.basic1, the Kibana logon page displays the entry point for you to log on to the Kibana console as a basic user. For more information, see Authentication in Kibana.
NoteIf you do not need to log on to the Kibana console as a basic user, you do not need to configure the items in basic.basic1.
Step 3: Submit configuration files
Submit a ticket to submit the following configuration files to the Alibaba Cloud Elasticsearch technical support personnel:
IDaaS SAML metadata configuration file: The technical support personnel upload the IDaaS SAML metadata configuration file that you submit to the config/saml path of Elasticsearch.
YML configuration file of Elasticsearch: The technical support personnel update the YML configuration file of your Elasticsearch cluster at the backend based on the configuration file that you submit.
YML configuration file of Kibana: The technical support personnel update the YML configuration file of your Elasticsearch cluster at the backend based on the configuration file that you submit.
Step 4: Verify SSO to the Kibana console
After the preceding configuration is complete, log on to the Kibana console by using SSO.
Go to the logon page of the Kibana console and click Log in with saml/saml1.
For more information, see Log on to the Kibana console.
Enter the account that is associated with IDaaS and click Submit.
The homepage of the Kibana console appears.