This topic describes how to use Alibaba Cloud Identity as a Service (IDaaS) to implement Security Assertion Markup Language (SAML) single sign-on (SSO) to the Kibana console of an Alibaba Cloud Elasticsearch cluster. IDaaS serves as the identity provider (IdP), and Kibana serves as the service provider (SP).

Background information

Elasticsearch allows you to implement SAML SSO to the Kibana console of your Elasticsearch cluster. Kibana serves as the SAML SP and allows you to configure SAML 2.0 browser-based SSO and SAML 2.0 single logout (SLO). This way, you can use an IdP that complies with SAML 2.0, such as IDaaS or Active Directory Federation Service (AD FS), to access Elasticsearch and Kibana. In this example, IDaaS is used as the IdP.

In this topic, the following terms are involved:
  • IDaaS: a centralized platform that provides management over identities, permissions, and applications for enterprises. IDaaS supports various services, such as Employee Identity and Access Management (EIAM) and Customer Identity and Access Management (CIAM).
  • SAML: an XML-based open standard that implements SSO across domains. SAML transfers identity information between an IdP and an SP by using security tokens that contain assertions. SAML is a sound identity authentication protocol. It is widely used in public and private clouds worldwide.
  • SSO: indicates that you can access multiple mutually trusted application systems with only one logon.

Prerequisites

  • An Alibaba Cloud Elasticsearch V7.10 cluster is created, and HTTPS is enabled for the cluster.

    For more information about how to create an Elasticsearch cluster, see Create an Alibaba Cloud Elasticsearch cluster. In this example, an Elasticsearch V7.10 cluster is used. The operations and configurations required for the clusters of other versions may vary. The operations and configurations required in the Elasticsearch console prevail.

    For more information about how to enable HTTPS for an Elasticsearch cluster, see Enable HTTPS.
    Notice You can enable HTTPS only for an Elasticsearch cluster that contains client nodes. Make sure that your Elasticsearch cluster contains client nodes.
  • An IDaaS EIAM instance is created.
    Note Elasticsearch supports only HTTP-Redirect binding for SAML authentication requests and does not support other methods such as HTTP-POST binding. You need only to make sure that your computer can access the IdP and SP.
  • SAML SSO can be configured only at the backend. You must refer to the operations in this topic to configure the related settings in a test environment and make sure that the test logon to the Kibana console is successful. Then, you can submit a ticket to provide Alibaba Cloud Elasticsearch technical personnel with the configuration information.
    Note This topic consists of the following sections: Configure the IDaaS SAML application (client side) and Create a custom role and configure the SAML information in Elasticsearch (backend). You must manually perform the operations described in Configure the IDaaS SAML application (client side). The operations described in Create a custom role and configure the SAML information in Elasticsearch (backend) must be performed by Alibaba Cloud Elasticsearch technical personnel at the backend. The operations at the backend are described in this topic to help you understand configuration principles and perform a configuration test.

Configure the IDaaS SAML application (client side)

  1. Log on to the IDaaS console and click the name of the EIAM instance. On the page that appears, add the SAML application.
    For more information, see Add an application.
  2. In the Add Application (SAML) panel, find the desired signing key and click Select in the Actions column to configure the parameters related to the IdP and SP.
    Note If no signing key is available, you must import or create one.
    You must configure the parameters that are described in the following table. Retain default values for other parameters.
    Parameter Description
    Application Name The name of the SAML application. You can customize the value of this parameter.
    IDP IdentityId The authentication parameter configured in IDaaS. You must configure this parameter for the SP. In this example, set this parameter to IDaaS.
    SP Entity ID The URL of the SP. In this example, the SP is Kibana. Therefore, you must set this parameter to the base URL of Kibana. The base URL must use HTTPS.
    SP ACS URL(SSO Location) The Assertion Consumer Service (ACS) endpoint that receives authentication messages from the IdP. In most cases, the value of this parameter is the URL of Kibana. This ACS endpoint supports only SAML HTTP-POST binding. In mots cases, set this parameter to ${kibana-url}/api/security/v1/saml. ${kibana-url} is the base URL of Kibana.
    NameldFormat The format of the name identifier. Set this parameter to urn:oasis:names:tc:SAML:2.0:nameid-format:persistent.
    Binding Set this parameter to the default value POST.
    Assertion Attribute The attribute of the assertion. You can customize a name for the attribute, but you must select Sub-account as the value.
    Account Linking Type Set this parameter to Account mapping.
  3. Click Submit.
  4. In the System Prompt message, click Authorize now to grant permissions to the SAML application.
    Notice Before you grant permissions to the SAML application, make sure that you have synchronized the account information of the application to IDaaS or created an account for the application. For more information, see Accounts.
  5. Click Application Authorization in the left-side navigation pane. On the Application Authorization page, click the Authorize Accounts by Application tab. On the Authorize Accounts by Application tab, select the account. Then, click Save. In the System Prompt message, click OK to complete the authorization.
  6. Export the IDaaS SAML metadata from the added SAML application as a configuration file.
  7. Submit a ticket to provide Alibaba Cloud Elasticsearch technical personnel with the metadata configuration file.
    Then, the technical personnel configure the SAML information in Elasticsearch by following the operations described in Create a custom role and configure the SAML information in Elasticsearch (backend). You can refer to the operations described in this section to perform a test in a self-managed Elasticsearch cluster.
  8. After the technical personnel complete the configuration, log on to the Kibana console by using SSO.
    1. Refer to the steps described in Log on to the Kibana console to go to the logon page of the Kibana console. Click Log in with saml/saml1.
      Use SAML to log on to the Kibana console
    2. Enter the account that is associated with IDaaS and click Submit.
      The following figure shows the homepage that appears after your logon. Logon success page

Create a custom role and configure the SAML information in Elasticsearch (backend)

  1. Log on to the Kibana console of the Elasticsearch cluster.
  2. Create a custom role.
    Create a custom role
  3. Map the role to the SAML application.
    PUT /_security/role_mapping/idaas-test
    {
      "roles": [ "admin_role" ],
      "enabled": true,
      "rules": {
        "field": { "realm.name": "saml1" }
      }
    }
    Note You must replace the value of the roles parameter with the name of the role created in the preceding step.
  4. Upload the metadata configuration file exported in Configure the IDaaS SAML application (client side) to the config/saml path of the Elasticsearch cluster.
  5. Add SAML information to the YML configuration files of Elasticsearch and Kibana.
    Notice The SAML information that you add to the YML configuration files must be consistent with the SAML information configured in Configure the IDaaS SAML application (client side).
    • YML configuration file of Elasticsearch
      # YML configuration file of Elasticsearch
      
      xpack.security.authc.token.enabled: 'true'
      xpack.security.authc.realms.saml.saml1:
        order: 0
        idp.metadata.path: saml/metadata.xml
        idp.entity_id: "https://es-cn-n6xxxxxx1d.elasticsearch.aliyuncs.com/"
        sp.entity_id: "https://es-cn-n6xxxxxx1d.kibana.elasticsearch.aliyuncs.com:5601/"
        sp.acs: "https://es-cn-n6xxxxxx1d.kibana.elasticsearch.aliyuncs.com:5601/api/security/v1/saml"
        attributes.principal: "nameid:persistent"
        attributes.groups: "roles"
                                          
      Parameter Description
      xpack.security.authc.token.enabled Specifies whether to enable the Token service. You must set this parameter to true to configure SAML SSO. For more information about how to enable the Token service, see saml-enable-token.
      xpack.security.authc.realms.saml.saml1 The identity authentication realm. In this example, set this parameter to saml1. For more information about realms, see Realms.
      order The priority of the realm. A small value indicates a high priority.
      idp.metadata.path The path to the metadata file that you saved for the IdP.
      idp.entity_id The identifier of the IdP. The identifier must match the EntityID attribute within the metadata file.
      sp.entity_id The unique identifier of Kibana. This parameter is required if you add Kibana as an SP of your IdP. We recommend that you set this parameter to the base URL of Kibana.
      Notice Make sure that the value of this parameter is consistent with the information of your business environment. If you use a reverse proxy to access Kibana, instead of using a URL, you must specify the endpoint and port number of the reverse proxy in this parameter.
      sp.acs The Assertion Consumer Service (ACS) endpoint that receives authentication messages from the IdP. In most cases, the value of this parameter is the URL of Kibana. This ACS endpoint supports only SAML HTTP-POST binding. In mots cases, set this parameter to ${kibana-url}/api/security/v1/saml. ${kibana-url} is the base URL of Kibana.
      sp.logout The URL that Kibana uses to receive the logout information from the IdP. The value format of this parameter is similar to that of the sp.acs parameter. You must set this parameter to ${kibana-url}/logout. ${kibana-url} is the base URL of Kibana.
      attributes.principal The assertion information. For more information, see Attribute mapping.
      attributes.groups The assertion information. For more information, see Attribute mapping.
    • YML configuration file of Kibana
      # YML configuration file of Kibana
      
      xpack.security.authc.providers:
        saml.saml1:
          order: 0
          realm: "saml1"
        basic.basic1:
          order: 1
          icon: "logoElasticsearch"
          hint: "Typically for administrators"
      Parameter Description
      xpack.security.authc.providers The provider of the SAML application. This parameter specifies that SAML SSO is used as the identity authentication method of Kibana.
      xpack.security.authc.providers.saml.<provider-name>.realm The SAML authentication realm. Replace <provider-name> with the realm that you specify in the YML configuration file of Elasticsearch. In this example, saml1 is used.
      xpack.security.authc.providers.basic.basic1 After you configure SAML information in the YML configuration file of Kibana, only users who have passed SAML authentication can access Kibana. To log on to the Kibana console as a basic user, you can specify values for the configuration items in basic.basic1. If you test the logon to the Kibana console as a basic user, you may need to use the elastic username and its password to log on to the Elasticsearch cluster, create a role, and then map the role to the SAML application. After you specify values for the configuration items in basic.basic1, the Kibana logon page displays the entry point for you to log on to the Kibana console as a basic user. For more information, see Authentication in Kibana.
      Note If you do not need to log on to the Kibana console as a basic user, you do not need to configure the items in basic.basic1.