Log on to the Kibana console by using SAML-based SSO - Elasticsearch

Alibaba Cloud Elasticsearch (ES) supports single sign-on (SSO) for Kibana. After you enable Security Assertion Markup Language 2.0 (SAML 2.0) authentication, you can use a SAML 2.0-compliant identity provider (IdP) to access your Alibaba Cloud ES cluster and Kibana. This topic uses an ES V7.10 cluster as an example to describe how to configure a SAML IdP and the service providers (SPs), ES and Kibana, to implement SSO for the Kibana console.

Background

In SAML, ES and Kibana act as service providers (SPs). They support the web browser SSO profile and the single logout profile of SAML 2.0. This lets you use any SAML 2.0-compliant identity provider (IdP), such as Alibaba Cloud Identity as a Service (IDaaS) or Active Directory Federation Services (ADFS), to access Alibaba Cloud ES and Kibana. This topic uses IDaaS as an example.

Note

Single sign-on (SSO):
Allows users to log on once and access all mutually trusted applications.
Security Assertion Markup Language (SAML):
SAML is an XML-based protocol that implements cross-domain single sign-on (SSO). It transfers identity information between an Identity Provider (IdP) and a Service Provider (SP) using security tokens that contain assertions. SAML is a mature authentication protocol that is widely used in public and private clouds.
Alibaba Cloud Identity as a Service (IDaaS):
IDaaS is a set of centralized identity, permission, and application management services for enterprise users. IDaaS supports multiple products, such as EIAM and CIAM.

Prerequisites

An Alibaba Cloud ES V7.10 cluster is created and the HTTPS protocol is enabled. The operations for other versions may differ, and the actual UI may vary.
Note
- To create an cluster, see Create an Alibaba Cloud Elasticsearch cluster.
- To enable HTTPS, see Use the HTTPS protocol.
An EIAM instance of the IDaaS service is activated.
Note
Elastic supports only the HTTP-Redirect binding method for SAML authentication and does not support HTTP-POST binding or other methods. Therefore, you must ensure that your PC can access the IdP and SP services.

Kibana public port is 443

Procedure

Note

Enabling SAML authentication requires a cluster restart to take effect. To minimize the impact of this change, perform this operation during off-peak hours.

Log on to the Alibaba Cloud Elasticsearch console.
In the left-side navigation pane, click Elasticsearch Clusters.
Navigate to the desired cluster.
1. In the top navigation bar, select the resource group to which the cluster belongs and the region where the cluster resides.
2. On the Elasticsearch Clusters page, find the cluster and click its ID.
In the navigation pane on the left of the target cluster, select Configuration and Management > Security.
In the Access Settings area, enable SAML Authentication.
Note
If you attempt to disable the HTTPS protocol for the current cluster, the dialog box displays the message SAML authentication is enabled for the cluster. You are not allowed to disable HTTPS.
In the Enable SAML Authentication panel, you can configure the SAML application.
1. On the Configure SAML Application page, select Access Kibana over Internet for the Access Type.
2. Download the IdP metadata. For more information, see Configure an IDaaS SAML application.
  Note
  You can copy the single sign-on ACS URL and the SP Entity ID from the Configure SAML Application wizard page.
3. Click or drag to upload the IdP metadata.
4. Click Next.
Associate a custom ES role.
1. On the Associate Elasticsearch Custom Role wizard page, enter the ES access password.
  - Role Name: The default value is es_saml1_default, which cannot be modified.
  - Role Permissions: By default, all permissions are enabled for the es_saml1_default role. To configure fine-grained permissions, you can modify the role's permissions in the Kibana console. For more information, see Manage user permissions with Elasticsearch X-Pack role management.
  - Elasticsearch Cluster Password: Enter the password to verify that you have permission to create roles.
2. Click Create and Associate Role.
  A role is created and mapped to SAML.
3. Click Next.

Configure the YML parameters.

Category	Item	Description
SAML information	Authentication Realm	Must be consistent with the previous mapping. By default, only saml1 is supported. You cannot change this value.
	order	The priority of the realm. A smaller value indicates a higher priority. The default value is 2. You cannot change this value.
	idp.entity_id	The identifier used by the IdP.
	sp.entity_id	The unique identifier of the Kibana instance. This is the same as the SP Entity ID of the SAML application. Set this value if you add Kibana as an SP for the IdP.
	sp.acs	The Assertion Consumer Service (ACS) endpoint. It receives identity authentication information from the IdP. This is the same as the ACS URL for SSO of the SAML application.
	attributes.principal	The assertion information, such as nameid:persistent. For more information, see Attribute mapping.
	attributes.groups	The assertion information, such as roles. For more information, see Attribute mapping.
Advanced Settings	Kibana Basic Login	By default, the basic logon entry point for Kibana is displayed. You can choose not to display this entry point.
Advanced Settings	Kibana SAML Logon Description	Enter a description for SAML logon to Kibana.

Note

After you complete the configuration, the system automatically generates a standard YML file that the backend can recognize and modifies the YML configuration of the cluster.
Other parameters, such as `idp.metadata.path`, are XML paths required for backend management. They are automatically generated and cannot be edited.

Click Complete.
The message Enabled. appears at the top of the page, indicating that the configuration is successful and the cluster is restarting.
After the cluster restarts, verify SSO for Kibana.
1. In the left navigation pane, select Configuration and Management > Access over Internet.
2. In the Kibana area, click Access over Internet.
3. Enter your Username and Password and click Log On.
  You are then logged on to the Kibana page.
Note
- For more information, see Log on to the Kibana console.
- You can view and modify the SAML identity authentication configuration on the Security page of the cluster. If the SAML configuration is correct but you still cannot log on, check whether the Kibana access whitelist or security group is configured correctly. For more information, see Configure access to Kibana over the Internet or a VPC.

Configure an IDaaS SAML application

Log on to the IDaaS console.
Click the ID of the target IDaaS instance.
Add an application.
1. In the menu bar on the left, click Application Management > Applications.
2. On the Applications page, click Add Application.
3. Click the Standard Protocols tab.
4. In the SAML 2.0 area, click Add Application.
5. Enter the Application Name and click Add.

In the Sign-In section, on the SSO tab, you can complete the SSO for the application.

Configure the parameters that are described in the following table. You can retain the default values for other parameters. For more information, see IDaaS-side configuration field descriptions.

Parameter	Description
ACS URl	The ACS URL is used to receive authentication information from the IdP. You can copy the ACS URL from the Configure SAML Application wizard page in the ES console.
SP Entity ID	The unique identifier of the SP. In this example, the SP is Kibana. You can copy the SP Entity ID from the Configure SAML Application wizard page in the ES console.
Authorize	Select an authorization scope. If you select Manually, you must assign permissions on the Authorize tab.
NameIDFormat	Select 2.0 persistent.

Configuration example:

In the Application Settings section, click Download next to IdP Metadata.
Click Save to save the application.

Other operations

In the Access Settings section on the Security page of your instance, you can view and modify SAML authentication configurations, or disable SAML authentication.

Item	Operation
View the SAML authentication configuration	Next to SAML Authentication, click Modify to view the SAML authentication configuration.
Modify the SAML authentication configuration	Click Modify next to SAML Authentication: In the upper-right corner of the Elasticsearch Configurations section, click Edit to re-upload the IdP metadata or edit the yml parameters. After the modification, the system restarts the cluster. Association of Elasticsearch Custom Role: You cannot modify the associated role. You can modify the permissions of the es_saml1_default role in Kibana. In the upper-right corner of the Kibana Configurations area, click Edit to modify the Kibana logon configurations. This change restarts the Kibana nodes.
Disable SAML authentication	Turn off the SAML Authentication switch and click OK in the dialog box that appears. The change takes effect after the cluster restarts. Note After you confirm to disable SAML authentication, the current SAML authentication configuration will be purged.

Kibana public port is 5601

Step 1: Configure an IDaaS SAML application

Log on to the IDaaS console.
Click the ID of the target IDaaS instance.
Add an application.
1. In the left menu bar, click Application Management > Applications.
2. On the Applications page, click Add Application.
3. Click the Standard Protocols tab.
4. In the SAML 2.0 area, click Add Application.
5. Enter an Application Name and click Add.
Under Sign-In, on the SSO tab, complete the SSO for the application.

Configure the parameters that are described in the following table. You can retain the default values for other parameters. For more information, see IDaaS configuration field descriptions.

Parameter	Description
ACS URl	This ACS endpoint accepts identity verification information from the IDP and supports only SAML HTTP-POST binding. It is typically configured as: `${kibana-url}:5601/api/security/v1/saml`.
SP Entity ID	The URL of the Service Provider (SP). In this topic, the service provider is Kibana. Set this value to `${kibana-url}:5601`.
Authorize	Select the authorization scope. If you select manual authorization, you need to assign permissions on the Authorize tab.
NameIDFormat	Select 2.0 persistent.

Note

${kibana-url} is the public address of Kibana.
You can find the public URL and public port of Kibana on the Kibana Configuration page in the Elasticsearch console. For more information, see Configure access to Kibana over the Internet or a VPC.

Configuration example:

In the Application Settings section, click Download for IdP Metadata.
The downloaded file is the IDaaS SAML metadata configuration file. Save this file for later use.
To save the application, click Save.

Step 2: Create a custom role and configure elastic SAML

Log on to the Kibana console of the target instance. For more information, see log on to the Kibana console.
Create a role.
Map the role to SAML.
```
PUT /_security/role_mapping/idaas-test
{
  "roles": "<admin_role>" ,
  "enabled": true,
  "rules": {
    "field": { "realm.name": "saml1" }
  }
}
```
- Replace idaas-test with the name of the IDaaS service account created in Step 1.
- Replace <admin_role> with the name of the role that you created in the previous step.

Create the YAML configuration files for Elasticsearch and Kibana and add the SAML information.

Note

The YML parameter information must be consistent with the SAML information that you configured in Configure an IDaaS SAML application.

Content of the elasticsearch.yml configuration file

#elasticsearch.yml configuration

xpack.security.authc.token.enabled: 'true'
xpack.security.authc.realms.saml.saml1:
  order: 2
  idp.metadata.path: saml/metadata.xml
  idp.entity_id: "https://es-cn-n6xxxxxx1d.elasticsearch.aliyuncs.com/"
  sp.entity_id: "https://es-cn-n6xxxxxx1d.kibana.elasticsearch.aliyuncs.com:5601/"
  sp.acs: "https://es-cn-n6xxxxxx1d.kibana.elasticsearch.aliyuncs.com:5601/api/security/v1/saml"
  attributes.principal: "nameid:persistent"
  attributes.groups: "roles"

Parameter	Description
xpack.security.authc.token.enabled	Specifies whether to enable the Token service. This parameter must be set to true to configure SAML single sign-on. For more information, see saml-enable-token.
xpack.security.authc.realms.saml.saml1	The identity authentication realm. In this example, saml1 is used. For more information about realms, see Realms.
order	The priority of the realm. A smaller value indicates a higher priority. Note V8.x requires a unique value for order. We recommend using 2.
idp.metadata.path	The path to the IdP metadata file.
idp.entity_id	The identifier used by the IdP. It must match the EntityID in the metadata file.
sp.entity_id	The unique identifier of the Kibana instance. This is the same as the SP Entity ID of the SAML application. Set this value if you add Kibana as an SP for the IdP. We recommend setting this to the Kibana URL. Important Ensure that the parameter value is consistent with your business environment. If you use a reverse proxy to access Kibana instead of accessing Kibana directly using a URL, set this parameter to the address and port of the reverse proxy.
sp.acs	The Assertion Consumer Service (ACS) endpoint. The value must be the same as the ACS URL of the single sign-on address for the SAML application. This endpoint receives identity verification information from the IdP, supports only SAML HTTP-POST binding, and is typically configured as `${kibana-url}:5601/api/security/v1/saml`. Note `${kibana-url}` is the Internet address of Kibana.
attributes.principal	Assertion information. For more information, see Attribute mapping.
attributes.groups	Assertion information. For more information, see Attribute mapping.

Content of the kibana.yml configuration file

Important

This configuration applies only to version 7.10 instances. The Kibana configuration may vary significantly between different versions. You can adjust the configuration as needed. For more information, see Configuring Kibana.

# kibana configuration

xpack.security.authc.providers:
  saml.saml1:
    order: 0
    realm: "saml1"
  basic.basic1:
    order: 1
    icon: "logoElasticsearch"
    hint: "Typically for administrators"

Parameter	Description
xpack.security.authc.providers	Add a SAML provider to set Kibana to use SAML SSO as the authentication method.
xpack.security.authc.providers.saml.<provider-name>.realm	Set the SAML realm name. Replace <provider-name> with the realm name configured in elasticsearch.yml. In this example, it is saml1.
xpack.security.authc.providers.basic.basic1	After you configure SAML for Kibana, only users who pass SAML authentication can log on to Kibana. To enable basic authentication on the Kibana logon page, you can specify the `basic.basic1` configuration. This is especially useful in test environments where you may need to use the `elastic` username and password to log on to the cluster to create roles and role mappings. After you specify this configuration, an entry point for basic authentication is added to the Kibana logon page. For more information, see Authentication in kibana. Note If users do not need to use basic authentication to log on to the Kibana console, you do not need to set up basic authentication in kibana.yml.

Step 3: Submit the files

Submit the following files to Alibaba Cloud Elasticsearch technical support:

A technical support engineer uploads the IDaaS SAML metadata configuration file to the config/saml path in Elasticsearch.
The elasticsearch.yml configuration file. Technical support will update your cluster's YML file based on the content that you submit.
The kibana.yml configuration file. Technical support will update your cluster's YML file based on the content that you submit.

Step 4: Verify SSO to Kibana

After technical support completes the configuration, verify SSO for Kibana.

Go to the Kibana console logon page. Click Log in with saml/saml1.
For more information, see Log on to the Kibana console.
Enter your IDaaS account and click Submit.
You are then logged on to the Kibana page.