All Products
Search
Document Center

Elasticsearch:Implement SSO for an Elasticsearch cluster

Last Updated:Mar 21, 2024

Alibaba Cloud Elasticsearch allows you to implement Security Assertion Markup Language (SAML) single sign-on (SSO) to the Kibana console of an Elasticsearch cluster. This topic describes how to use Alibaba Cloud Identity as a Service (IDaaS) to implement SAML SSO to the Kibana console of an Alibaba Cloud Elasticsearch cluster. IDaaS serves as the identity provider (IdP), and Kibana serves as the service provider (SP).

Background information

In SAML, Kibana serves as the SP and allows you to configure SAML 2.0 SSO based on a web browser and configure SAML 2.0 single logout (SLO). This way, you can use an IdP that complies with SAML 2.0, such as IDaaS or Active Directory Federation Service (AD FS), to access Elasticsearch and Kibana. In this example, IDaaS is used as the IdP.

Note
  • SSO:

    SSO is an authentication solution that allows you to log on to multiple applications and websites with one-time identity authentication. After the logon, you can access all mutually trusted application systems.

  • SAML:

    SAML is an XML-based open standard that implements SSO across realms. SAML transfers identity information between an IdP and an SP by using security tokens that contain assertions. SAML is a sound identity authentication protocol. It is widely used in public and private clouds.

  • IDaaS:

    IDaaS is a centralized platform that provides management of identities, permissions, and applications for enterprises. IDaaS supports various services, such as Employee Identity and Access Management (EIAM) and Customer Identity and Access Management (CIAM).

Prerequisites

  • An Alibaba Cloud Elasticsearch cluster is created, and HTTPS is enabled for the cluster. In this example, an Alibaba Cloud Elasticsearch V7.10 cluster is used. The operations and configurations that are required to implement SSO for Elasticsearch clusters vary based on the version.

    Note
  • An IDaaS EIAM instance is created.

    Note

    Elasticsearch supports only HTTP-Redirect binding for SAML authentication requests and does not support other methods such as HTTP-POST binding. You need to only make sure that your computer can access the IdP and SP.

Procedure

Step 1: Configure the IDaaS SAML application

  1. Log on to the IDaaS console.

  2. Find the EIAM instance on the EIAM page and click the instance ID.

  3. Add the SAML application.

    1. In the left-side navigation pane of the Quick Start page, click Applications.

    2. On the Applications page, click Add Application.

    3. On the Add Application page, click the Standard Protocols tab.

    4. In the SAML 2.0 card, click Add Application.

    5. In the Name field, enter a name for the application. Then, click Add.

  4. Click the Sign-In tab. The SSO subtab appears. On the SSO subtab, configure SSO settings for the application.

    You must configure the parameters that are described in the following table. You can retain default values for other parameters. For more information about the parameters, see Parameters in IDaaS in the SAML 2.0 SSO Configuration topic.

    Category

    Parameter

    Description

    Basic settings

    ACS URL

    The Assertion Consumer Service (ACS) endpoint that receives authentication information from the IdP. The ACS endpoint supports only HTTP-POST binding for SAML applications. In most cases, you can configure this parameter based on the following instructions:

    • If your Elasticsearch cluster is deployed in the cloud-native control architecture, configure this parameter in the ${kibana-url}:443/api/security/saml /callback format.

    • If your Elasticsearch cluster is not deployed in the cloud-native control architecture, configure this parameter in the ${kibana-url}:5601/api/security/v1/saml format.

      Note

      ${kibana-url} indicates the public URL of Kibana.

    SP Entity ID

    The URL of the SP. In this example, the SP is Kibana. You must configure this parameter in the ${kibana-url}:443 or ${kibana-url}:5601 format.

    Note

    ${kibana-url} indicates the public URL of Kibana.

    Authorize

    The authorization scope. If you set this parameter to Manually, you must perform authorization on the Authorize subtab of the Sign-In tab.

    Advanced settings

    NameIDFormat

    Select 2.0 persistent from the drop-down list.

    Note

    You can view the public URL and public port of Kibana on the Kibana Configuration page in the Elasticsearch console. For more information, see Configure a public or private IP address whitelist for Kibana.

  5. In the Application Settings section, click Download next to the value of the IdP Metadata parameter.

    The IDaaS SAML metadata is downloaded as a configuration file for subsequent use.

Step 2: Create a custom role and configure the SAML information in Elasticsearch

  1. Log on to the Kibana console of the Elasticsearch cluster. For more information, see Log on to the Kibana console.

  2. Create a custom role. For more information, see Use the RBAC mechanism provided by Elasticsearch X-Pack to implement access control.

  3. Map the role to the SAML application.

    You must replace <admin_role> with the name of the role created in the preceding step.

    PUT /_security/role_mapping/idaas-test
    {
      "roles": "<admin_role>" ,
      "enabled": true,
      "rules": {
        "field": { "realm.name": "saml1" }
      }
    }
  4. Add SAML information to the YML configuration files of Elasticsearch and Kibana.

    Note

    The SAML information that you add to the YML configuration files must be consistent with the SAML information configured in Step 1: Configure the IDaaS SAML application.

    • YML configuration file of Elasticsearch

      • Elasticsearch cluster that is deployed in the cloud-native control architecture (port for Kibana: 443)

        # YML configuration file of Elasticsearch
        
        xpack.security.authc.token.enabled: 'true'
        xpack.security.authc.realms.saml.saml1:
          order: 2
          idp.metadata.path: saml/metadata.xml
          idp.entity_id: "https://l2cm8ccn.aliyunidaas.com/api/v2/app_mueycrtjtumouafhydzuq3zx3a/saml2/meta"
          sp.entity_id: "https://es-cn-pe33****-kibana.cn-zhangjiakou.elasticsearch.aliyuncs.com:443"
          sp.acs: "https://es-cn-pe33****-kibana.cn-zhangjiakou.elasticsearch.aliyuncs.com:443/api/security/saml/callback"
          attributes.principal: "nameid:persistent"
          attributes.groups: "roles"                           
      • Elasticsearch cluster that is not deployed in the cloud-native control architecture (port for Kibana: 5601)

        # YML configuration file of Elasticsearch
        
        xpack.security.authc.token.enabled: 'true'
        xpack.security.authc.realms.saml.saml1:
          order: 2
          idp.metadata.path: saml/metadata.xml
          idp.entity_id: "https://es-cn-n6xxxxxx1d.elasticsearch.aliyuncs.com/"
          sp.entity_id: "https://es-cn-n6xxxxxx1d.kibana.elasticsearch.aliyuncs.com:5601/"
          sp.acs: "https://es-cn-n6xxxxxx1d.kibana.elasticsearch.aliyuncs.com:5601/api/security/v1/saml"
          attributes.principal: "nameid:persistent"
          attributes.groups: "roles"

        Parameter

        Description

        xpack.security.authc.token.enabled

        Specifies whether to enable the Token service. You must set this parameter to true to configure SAML SSO. For more information about how to enable the Token service, see saml-enable-token.

        xpack.security.authc.realms.saml.saml1

        The identity authentication realm. In this example, set this parameter to saml1. For more information about realms, see Realms.

        order

        The priority of the realm. A small value indicates a high priority.

        Note

        For Elasticsearch V8.X clusters, the value of this parameter must be unique among different requests. We recommend that you set this parameter to 2.

        idp.metadata.path

        The path of the metadata configuration file that you saved for the IdP.

        idp.entity_id

        The identifier of the IdP. The identifier must match the EntityID attribute in the metadata configuration file.

        sp.entity_id

        The unique identifier of Kibana. The value of this parameter must be the same as the value of the SP Entity ID parameter in the configuration of the SAML application. This parameter is required if you add Kibana as an SP of your IdP. We recommend that you set this parameter to the public URL of Kibana.

        Important

        Make sure that the value of this parameter is consistent with the information of your business environment. If you use a reverse proxy instead of a URL to access Kibana, you must specify the endpoint and port number of the reverse proxy in this parameter.

        sp.acs

        The ACS endpoint that receives authentication information from the IdP. The value of this parameter must be the same as the value of the ACS URL parameter in the configuration of the SAML application. The ACS endpoint that receives authentication information from the IdP. The ACS endpoint supports only HTTP-POST binding for SAML applications. In most cases, you can configure this parameter based on the following instructions:

        • If your Elasticsearch cluster is deployed in the cloud-native control architecture, configure this parameter in the ${kibana-url}:443/api/security/saml/callback format.

        • If your Elasticsearch cluster is not deployed in the cloud-native control architecture, configure this parameter in the ${kibana-url}:5601/api/security/v1/saml format.

          Note

          ${kibana-url} indicates the public URL of Kibana.

        attributes.principal

        The assertion information. For more information, see Attribute mapping.

        attributes.groups

        The assertion information. For more information, see Attribute mapping.

    • YML configuration file of Kibana

      # YML configuration file of Kibana
      
      xpack.security.authc.providers:
        saml.saml1:
          order: 0
          realm: "saml1"
        basic.basic1:
          order: 1
          icon: "logoElasticsearch"
          hint: "Typically for administrators"

      Parameter

      Description

      xpack.security.authc.providers

      The provider of the SAML application. This parameter specifies that SAML SSO is used as the identity authentication method of Kibana.

      xpack.security.authc.providers.saml.<provider-name>.realm

      The SAML authentication realm. Replace <provider-name> with the realm that you specify in the YML configuration file of Elasticsearch. In this example, saml1 is used.

      xpack.security.authc.providers.basic.basic1

      After you configure SAML information in the YML configuration file of Kibana, only users who have passed SAML authentication can access Kibana. To log on to the Kibana console as a basic user, you can specify values for the configuration items in basic.basic1. If you test the logon to the Kibana console as a basic user, you may need to use the elastic username and its password to log on to the Elasticsearch cluster, create a role, and then map the role to the SAML application. After you specify values for the configuration items in basic.basic1, the Kibana logon page displays the entry point for you to log on to the Kibana console as a basic user. For more information, see Authentication in Kibana.

      Note

      If you do not need to log on to the Kibana console as a basic user, you do not need to configure the items in basic.basic1.

Step 3: Submit configuration files

Submit a ticket to submit the following configuration files to the Alibaba Cloud Elasticsearch technical support personnel:

  • IDaaS SAML metadata configuration file: The technical support personnel upload the IDaaS SAML metadata configuration file that you submit to the config/saml path of Elasticsearch.

  • YML configuration file of Elasticsearch: The technical support personnel update the YML configuration file of your Elasticsearch cluster at the backend based on the configuration file that you submit.

  • YML configuration file of Kibana: The technical support personnel update the YML configuration file of your Elasticsearch cluster at the backend based on the configuration file that you submit.

Step 4: Verify SSO to the Kibana console

After the preceding configuration is complete, log on to the Kibana console by using SSO.

  1. Go to the logon page of the Kibana console and click Log in with saml/saml1.

    For more information, see Log on to the Kibana console.

  2. Enter the account that is associated with IDaaS and click Submit.

    The homepage of the Kibana console appears.