Log on to the Kibana console by using SAML-based SSO - Elasticsearch

Alibaba Cloud Elasticsearch supports SSO for Kibana using SAML 2.0. By enabling SAML 2.0 authentication, you can integrate your Alibaba Cloud Elasticsearch cluster and Kibana with a SAML 2.0-compliant IdP, such as Alibaba Cloud IDaaS, for seamless user access. This guide provides instructions on configuring SAML SSO for your Kibana console, using an Elasticsearch V7.10 cluster and IDaaS as an example.

Overview

Concepts

SAML (Security Assertion Markup Language): An XML-based protocol for exchanging authentication and authorization data between an IdP and an SP, enabling cross-domain SSO. SAML is a mature and widely used authentication protocol.
IdP (Identity Provider): An entity that authenticates users and provides authentication assertions to Service Providers. Examples include Alibaba Cloud IDaaS (Identity as a Service) or Active Directory Federation Services (ADFS).
SP (Service Provider): An entity that relies on the IdP to authenticate users. In this context, both Elasticsearch and Kibana act as SPs. They support the web browser SSO profile and the single logout profile of SAML 2.0.
SSO (Single Sign-On): A property of access control that allows a user to log in with a single ID and password to gain access to all applications in a system.
IDaaS (Alibaba Cloud Identity as a Service): A centralized identity, permission, and application management service for enterprise users, supporting products like EIAM and CIAM. This topic uses IDaaS as an example IdP.

Choose your SAML configuration method

Alibaba Cloud Elasticsearch offers two methods to configure SAML SSO, depending on your Kibana access setup:

Method A (Kibana public port 443): Configure via Elasticsearch Console (Recommended for Managed Kibana)
- This is the preferred and simpler method, used when Kibana's public network port is 443.
- The console provides a guided wizard to configure SAML, abstracting much of the underlying YML file management.
Method B (Kibana public port 5601): Manual YML configuration (For advanced/specific scenarios, requires technical support)
- This method requires manual editing of elasticsearch.yml and kibana.yml files, used if your Kibana public network port is 5601 or for advanced configurations that are not supported by the console wizard.
- Crucially, this method requires submitting configuration files to Alibaba Cloud technical support for implementation.

Prerequisites

Alibaba Cloud Elasticsearch Cluster (V7.10+) created. See Create an Alibaba Cloud Elasticsearch instance.
HTTPS enabled for the cluster. See Use the HTTPS protocol.
IDaaS EIAM instance created. See Create an IDaaS SSO application.
Network access: Ensure your client PC can access both the IdP and SP (Kibana) services. Elastic's SAML authentication currently supports only the HTTP-Redirect binding method.

Procedure

Method A (Kibana public port 443)

This method uses the Elasticsearch console wizard to configure SAML authentication, typically for Kibana accessed on public port 443.

Note

Enabling SAML authentication requires a cluster restart to take effect. To minimize the impact of this change, perform this operation during off-peak hours.

Step 1: Configure an IDaaS SAML application

Log on to the IDaaS console.
Click the ID of the target IDaaS instance.
Add an application.
1. In the left menu bar, choose Application Management > Applications.
2. On the Applications page, click Add Application.
3. Click the Standard Protocols tab.
4. In the SAML 2.0 area, click Add Application.
5. Configure Application Name and click Add.
On the Sign-In tab and the SSO sub-tab, configure the following parameters. Retain default values for others. For more details, see IDaaS parameters.
- ACS URl: This is the Assertion Consumer Service (ACS) endpoint of Kibana, where the IdP sends authentication information. Copy the ACS URI from the Configure SAML Application step of the Enable SAML Authentication wizard.
- SP Entity ID: The unique identifier of the SP. In this example, the SP is Kibana. Copy the SP Entity ID from the Configure SAML Application step of Enable SAML Authentication wizard.
- Authorize: Select an authorization scope. If you select Manually, you must assign permissions on the Authorize tab.
- NameIDFormat: Select 2.0 persistent.
Example:
In the Application Settings section, click Download next to IdP Metadata.
Save this XML file; you will upload it to your Elasticsearch cluster.
Click Save.

Step 2: Enable SAML authentication in the console

Log on to the Alibaba Cloud Elasticsearch console.
In the left navigation menu, choose Elasticsearch Clusters.
Navigate to the target cluster.
1. In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
2. On the Elasticsearch Clusters page, find the cluster and click its ID.
In the left navigation pane of the target cluster, select Configuration and Management > Security.
In the Access Settings area, switch on SAML Authentication.
Note
If you haven't enabled the HTTPS protocol for the current cluster, you'll be prompted to enable HTTPS first.
In the Enable SAML Authentication wizard (Configure SAML Application step):
1. For Access Type, select Access Kibana over Internet.
2. Copy the displayed ACS URL and SP Entity ID to configure your IDaaS SAML application.
3. Upload the IdP metadata XML file you downloaded in Step 1.
4. Click Next.

Step 3: Associate a Elasticsearch custom role

This step creates and maps a default Elasticsearch role (es_saml1_default) for SAML users.

In the Associate Elasticsearch Custom Role step:
- Role Name: Defaults to es_saml1_default (cannot be modified).
- Role Permissions: By default, es_saml1_default has all permissions enabled. For fine-grained control, you can modify these permissions later in Kibana. See Use the RBAC mechanism provided by Elasticsearch X-Pack to implement access control.
- Elasticsearch Cluster Password: Enter the password to verify your permission to create roles.
Click Create and Associate Role.
Click Next.

Step 4: Configure YML

In the Configure YML File step, configure the YML parameters.
This allows you to review and optionally customize SAML-related YML parameters. The system automatically generates a standard YML file.
SAML information:
- Authentication Realm: saml1 (fixed).
- order: 2 (priority, fixed).
- idp.entity_id: The identifier used by the IdP (from IDaaS metadata).
- sp.entity_id: The unique identifier for this Kibana instance (should match IDaaS config).
- sp.acs: The ACS endpoint (should match IDaaS config).
- attributes.principal/attributes.groups: These map SAML assertion attributes (e.g., nameid:persistent, roles) to Elasticsearch principal/group fields. For more information, see Attribute mapping and Configure SAML 2.0-based SSO.
Advanced settings
- Log on to Kibana as Basic User
- Description for SAML-based Kibana Logon
Note
Other parameters like idp.metadata.path are automatically generated and managed by the backend; they are not editable.
Click Complete.
A message indicating successful configuration will appear.

Method B (Kibana public port 5601)

This method is for advanced scenarios where Kibana is accessed on public port 5601 or requires direct YML manipulation. This method requires direct interaction with Alibaba Cloud technical support to apply the YML changes.

Step 1: Configure an IDaaS SAML application

Log on to the IDaaS console.
Click the ID of the target IDaaS instance.
Add an application.
1. In the left menu bar, choose Application Management > Applications.
2. On the Applications page, click Add Application.
3. Click the Standard Protocols tab.
4. In the SAML 2.0 area, click Add Application.
5. Configure Application Name and click Add.
On the Sign-In tab and the SSO sub-tab, configure the following parameters. Retain default values for others. For more details, see IDaaS parameters.
- ACS URl: This is the ACS endpoint of Kibana, where the IdP sends authentication information. Use: ${kibana-url}:5601/api/security/v1/saml (where ${kibana-url} is the public address of Kibana).
- SP Entity ID: The unique identifier of the SP. Use: ${kibana-url}:5601.
- Authorize: Select an authorization scope. If you select Manually, you must assign permissions on the Authorize tab.
- NameIDFormat: Select 2.0 persistent.
Note
You can find Kibana's public URL and port on the Kibana Configuration page in the Elasticsearch console. See Connect to a cluster using Kibana.
Example:
In the Application Settings section, click Download next to IdP Metadata.
Save this XML file; you will upload it to your Elasticsearch cluster.
Click Save.

Step 2: Create a custom role and configure SAML

This step ensures that SAML users are assigned appropriate roles in Elasticsearch. This is done via Kibana Dev Tools.

Log on to the Kibana console of your cluster using basic authentication (e.g., with the elastic account).
Create a role.
Map the role to SAML using the _security/role_mapping API.
```
PUT /_security/role_mapping/idaas-test
{
  "roles": "<admin_role>" ,
  "enabled": true,
  "rules": {
    "field": { "realm.name": "saml1" }
  }
}
```
Replace idaas-test with your desired mapping name and <admin_role> with the role created in the previous step.

Step 3: Prepare Elasticsearch and Kibana YML configuration files

Create separate YML configuration files for Elasticsearch and Kibana, containing your SAML settings. Ensure consistency with your IDaaS SAML application configuration.

Elasticsearch YML configuration (elasticsearch.yml)

#elasticsearch.yml configuration

xpack.security.authc.token.enabled: 'true'
xpack.security.authc.realms.saml.saml1:
  order: 2
  idp.metadata.path: saml/metadata.xml
  idp.entity_id: "https://es-cn-n6xxxxxx1d.elasticsearch.aliyuncs.com/"
  sp.entity_id: "https://es-cn-n6xxxxxx1d.kibana.elasticsearch.aliyuncs.com:5601/"
  sp.acs: "https://es-cn-n6xxxxxx1d.kibana.elasticsearch.aliyuncs.com:5601/api/security/v1/saml"
  attributes.principal: "nameid:persistent"
  attributes.groups: "roles"

Parameter	Description
xpack.security.authc.token.enabled	Must be set to `true` to enable the Token service, which is required for SAML SSO. See saml-enable-token.
xpack.security.authc.realms.saml.saml1	Defines the SAML authentication realm. `saml1` is used as the realm name in this example. See Realms.
order	Priority of the realm. Lower value indicates higher priority. Recommended `2` (V8.x requires a unique value).
idp.metadata.path	Path where the IdP metadata XML file will be stored on the Elasticsearch server (managed by technical support).
idp.entity_id	Identifier used by the IdP. Must match the `EntityID` in the downloaded IdP metadata file.
sp.entity_id	Unique identifier of the Kibana instance (SP). We recommend setting this to the Kibana URL. Important If using a reverse proxy, set this to the proxy's address and port.
sp.acs	The ACS endpoint. Must match the ACS URL configured in your IDaaS SAML application. It supports only SAML HTTP-POST binding.
attributes.principal	Maps a SAML assertion attribute (e.g., `nameid:persistent`) to the principal (username) in Elasticsearch. See Attribute mapping.
attributes.groups	Maps a SAML assertion attribute (e.g., `roles`) to groups in Elasticsearch. See Attribute mapping.

Kibana YML Configuration (kibana.yml)

Important

This configuration example applies to version 7.10 instances. Kibana configurations can vary significantly between versions. Adjust as needed. For more information, see Configuring Kibana.

# kibana configuration

xpack.security.authc.providers:
  saml.saml1:
    order: 0
    realm: "saml1"
  basic.basic1:
    order: 1
    icon: "logoElasticsearch"
    hint: "Typically for administrators"

Parameter	Description
xpack.security.authc.providers	Defines the authentication providers for Kibana. Add a SAML provider here to enable SAML SSO.
xpack.security.authc.providers.saml.<provider-name>.realm	Sets the SAML realm name. Replace `<provider-name>` with the desired provider name (e.g., `saml1`) and `realm` with the SAML realm name configured in `elasticsearch.yml` (`saml1` in this example).
xpack.security.authc.providers.basic.basic1	(Optional) Configures basic authentication for Kibana. This is useful for administrators who need to log in with the `elastic` account (or other basic users) for role management, especially when SAML is the primary login method. If configured, an entry point for basic authentication will appear on the Kibana login page. If basic authentication is not needed, this block can be omitted. See Authentication in kibana.

Step 4: Submit files to technical support

After preparing the above files, contact Alibaba Cloud technical support with the following:

The downloaded IDaaS SAML metadata XML configuration file. Technical support will upload this to the config/saml path on your Elasticsearch cluster.
Your prepared elasticsearch.yml configuration content. Technical support will update your cluster's YML file based on this.
Your prepared kibana.yml configuration content. Technical support will update your Kibana instance's YML file based on this.

Manage SAML authentication

You can view, modify, or disable SAML authentication settings from the Security page of your instance in the Alibaba Cloud Elasticsearch console.

Action	Operation
View SAML configuration	In the Access Settings section, click Modify next to SAML Authentication.
Modify SAML configuration	Click Modify next to SAML Authentication: To re-upload IdP metadata or edit YML parameters: Click Edit in the upper-right corner of the Elasticsearch Configurations section. (The modification triggers a cluster restart.) To modify Kibana login configurations (e.g., description): Click Edit in the upper-right corner of the Kibana Configurations area.
Disable SAML authentication	Turn off the SAML Authentication switch and click OK in the confirmation dialog. The change takes effect after the cluster restarts. Important Disabling SAML authentication will purge the current SAML configuration.

Verify SSO for Kibana

After configuration and cluster restarts, verify that SAML SSO is working correctly.

In the left navigation pane, select Configuration and Management > Data Visualization .
In the Kibana section, click Access over Internet.
This will redirect you to the Kibana login page.
You should see an option similar to log in with saml/saml1. Click it.
You will be redirected to your IDaaS login page. Enter your IDaaS account credentials.
Upon successful authentication, you will be redirected back to the Kibana page, logged in via SAML SSO.

Note

For general Kibana login issues, see Log on to the Kibana console.
If SSO fails, verify your Kibana access whitelist and security group rules. See Connect to a cluster using Kibana.