Thank you for reading this post, don't forget to subscribe!
The Elastic Stack supports SAML single-sign-on (SSO) into Kibana, using Elasticsearch as a backend service. In SAML terminology, the Elastic Stack is operating as a Service Provider.
The other component that is needed to enable SAML single-sign-on is the Identity Provider, which is a service that handles your credentials and performs that actual authentication of users.
This article will describe setting up single sign-on in Kibana(Elastic Cloud), where AWS SSO (IAM Identity Center) will be the identity provider.
Elastic Cloud deployment version v8.12.0.
1) We prepare the SAML configuration from the IAM Identity Center:
In the AWS console, go to the "IAM Identity Center" section:
Next go to the section Application assignments -> Applications:
Select "Customer managed" in the "Applications" section and click "Add Application":
Fill in the required fields "Display name" and "Description". The "Display name" will subsequently be displayed in "Applications" when logging into AWS SSO:
In the "Application metadata" section, in the "Application ACS URL" field, set https://<kibana_url>/api/security/saml/callback.
In the "Application SAML audience" field - https://<kibana_url>/ and click Submit
Next, in the same configuration, you need to configure Attribute Mapping. IAM Identity Center uses these user attributes to populate SAML assertions (as SAML attributes) that are sent to the application. More details in the documentation https://docs.aws.amazon.com/singlesignon/latest/userguide/attributemappingsconcept.html
To configure Attribute Mapping, go to our created Application:
Click Action -> Edit Attribute Mapping:
Since we plan to differentiate permissions by user groups in Kibana, the 2 attributes shown in the screenshot will be enough for us. Save changes.
Let's create several user groups in the IAM Identity Center:
Kibana_admins and Kibana_developers. To do this, in the IAM Identity Center, go to the Groups -> Create Group section. We set the Group name and Description and can add users to the group.
We return to the settings of our Application and assign the created groups:
2) Now let's start setting up Elastic Cloud:
Go to https://www.elastic.co/cloud in the Deployment -> Actions -> Edit Deployment section:
Click "Manage user settings and extensions (0)" in the ElasticSearch settings section:
Adding the configuration:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
xpack: security: authc: realms: saml: saml-realm-name: order: 2 attributes.principal: "nameid" attributes.groups: "groups" idp.metadata.path: "https://portal.sso.us-east-1.amazonaws.com/saml/metadata/XXXXXX" idp.entity_id: "https://portal.sso.us-east-1.amazonaws.com/saml/assertion/XXXXXX" sp.entity_id: "https://<kibana_url>/" sp.acs: "https://<kibana_url>/api/security/saml/callback" sp.logout: "https://<kibana_url>/logout" |
You can get the idp.metadata.path and idp.entity_id values in the previously prepared Application in the IAM Identity Center metadata section.
Click "Back" and go to the Kibana configuration.
1 2 3 4 5 6 7 8 |
xpack.security.authc.providers: saml.saml1: order: 0 realm: saml-realm-name description: "Log in with my AWS SSO" basic.basic1: order: 1 |
After adding the Kibana settings, click “Save”, after which we confirm that we want to apply this configuration. We wait for the settings to be applied within 15-30 minutes.
More detailed settings in the documentation https://www.elastic.co/guide/en/cloud/current/ec-securing-clusters-SAML.html
Next, we configure “Map Roles” at the Kibana level.
Go to the Kibana web interface in the section Management -> Stack Management -> Security -> Create Role Mapping.
The screenshots above show the creation of 2 Maps Roles: Kibana_developers_aws_sso_saml and Kibana_admins_aws_sso_saml.
The Maps Role name can be anything, in the Roles section we set roles with the necessary rights for users, for example, for Kibana_admins_aws_sso_saml - the superuser role, for Kibana_developers_aws_sso_saml the developer, apm_user roles.
In the Mapping rules section, the User field "realm.name" must match saml-realm-name.
The User field "Groups" must match the user group ID in AWS Identity Center. You can find this in AWS Identity Center ->Groups -> select the desired group -> copy Group ID in the General Information section.
After applying all the specified settings, you can proceed to testing.
When we open the Kibana start page, we see a new login item.
When authorizing via AWS SSO in Kibana, the user will have access to the rights granted in "Role Mapping".