2018-05-22 11:50:35 -04:00
|
|
|
[role="xpack"]
|
|
|
|
[[configuring-saml-realm]]
|
|
|
|
=== Configuring a SAML realm
|
|
|
|
|
|
|
|
The {stack} supports Security Assertion Markup Language Single Sign On (SAML SSO)
|
|
|
|
into {kib} with {es} as a backend service. In particular, the {stack} supports
|
|
|
|
the SAML 2.0 Web Browser SSO and the SAML 2.0 Single Logout profiles. It can
|
|
|
|
integrate with any identity provider (IdP) that supports at least the SAML 2.0
|
|
|
|
Web Browser SSO Profile.
|
|
|
|
|
|
|
|
In SAML terminology, the {stack} is operating as a _service provider_ (SP). For more
|
|
|
|
information, see {stack-ov}/saml-realm.html[SAML authentication] and
|
|
|
|
{stack-ov}/saml-guide.html[Configuring SAML SSO on the {stack}].
|
|
|
|
|
|
|
|
[NOTE]
|
|
|
|
--
|
|
|
|
|
|
|
|
* If you configure a SAML realm for use in {kib}, you should also configure
|
|
|
|
another realm, such as the native realm in your authentication chain.
|
|
|
|
* These instructions assume that you have an existing SAML identity provider.
|
|
|
|
--
|
|
|
|
|
|
|
|
To enable SAML authentication in {es} and add the {stack} as a service provider:
|
|
|
|
|
|
|
|
. Enable SSL/TLS for HTTP.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
If your {es} cluster is operating in production mode, you must
|
|
|
|
configure the HTTP interface to use TLS before you can enable SAML
|
|
|
|
authentication.
|
|
|
|
|
|
|
|
See <<tls-http>>.
|
|
|
|
--
|
|
|
|
|
|
|
|
. Enable the Token Service.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
The {es} SAML implementation makes use of the {es} Token Service. This service
|
|
|
|
is automatically enabled if you configure TLS on the HTTP interface. You can
|
|
|
|
explicitly enable it by including the following setting in your
|
|
|
|
`elasticsearch.yml` file:
|
|
|
|
|
|
|
|
[source, yaml]
|
|
|
|
------------------------------------------------------------
|
|
|
|
xpack.security.authc.token.enabled: true
|
|
|
|
------------------------------------------------------------
|
|
|
|
--
|
|
|
|
|
|
|
|
. Configure a SAML IdP metadata file.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
The {stack} uses a standard SAML metadata document in XML format, which defines
|
|
|
|
the capabilities and features of your identity provider. You should be able to
|
|
|
|
download or generate such a document within your IdP administration interface.
|
|
|
|
|
|
|
|
Most IdPs will provide an appropriate metadata file with all the features that
|
|
|
|
the {stack} requires. For more information, see
|
|
|
|
{stack-ov}/saml-guide-idp.html[The identity provider].
|
|
|
|
--
|
|
|
|
|
|
|
|
.. Download the IdP metadata document and store it within the `config` directory
|
|
|
|
on each {es} node. For example, store it as `config/saml/idp-metadata.xml`.
|
|
|
|
|
|
|
|
.. Get the identifier for your identity provider.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
The IdP will have been assigned an identifier (_EntityID_ in SAML terminology),
|
|
|
|
which is most commonly expressed in Uniform Resource Identifier (URI) form. Your
|
|
|
|
admin interface might tell you what this is or you might need to read the
|
|
|
|
metadata document to find it. Look for the `entityID` attribute on the
|
|
|
|
`EntityDescriptor` element.
|
|
|
|
--
|
|
|
|
|
|
|
|
. Create one or more SAML realms.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
SAML authentication is enabled by configuring a SAML realm within the
|
|
|
|
authentication chain for {es}.
|
|
|
|
|
|
|
|
This realm has a few mandatory settings, and a number of optional settings.
|
|
|
|
The available settings are described in detail in the
|
|
|
|
<<ref-saml-settings>>. The following settings (in the `elasticsearch.yml`
|
|
|
|
configuration file) are the most common settings:
|
|
|
|
|
|
|
|
[source, yaml]
|
|
|
|
------------------------------------------------------------
|
2018-11-05 22:56:50 -05:00
|
|
|
xpack.security.authc.realms:
|
|
|
|
saml: <1>
|
|
|
|
saml1: <2>
|
|
|
|
order: 2 <3>
|
|
|
|
idp.metadata.path: saml/idp-metadata.xml <4>
|
|
|
|
idp.entity_id: "https://sso.example.com/" <5>
|
|
|
|
sp.entity_id: "https://kibana.example.com/" <6>
|
|
|
|
sp.acs: "https://kibana.example.com/api/security/v1/saml" <7>
|
|
|
|
sp.logout: "https://kibana.example.com/logout" <8>
|
2018-05-22 11:50:35 -04:00
|
|
|
------------------------------------------------------------
|
2018-11-05 22:56:50 -05:00
|
|
|
<1> The realm must be within the `xpack.security.authc.realms.saml` namespace.
|
|
|
|
<2> This setting defines a new authentication realm named "saml1". For an
|
2018-05-22 11:50:35 -04:00
|
|
|
introduction to realms, see {stack-ov}/realms.html[Realms].
|
|
|
|
<3> You should define a unique order on each realm in your authentication chain.
|
|
|
|
It is recommended that the SAML realm be at the bottom of your authentication
|
|
|
|
chain (that is, it has the _highest_ order).
|
|
|
|
<4> This is the path to the metadata file that you saved for your identity provider.
|
2018-12-19 17:53:37 -05:00
|
|
|
The path that you enter here is relative to your `config/` directory. {es}
|
2018-05-22 11:50:35 -04:00
|
|
|
automatically monitors this file for changes and reloads the configuration
|
|
|
|
whenever it is updated.
|
|
|
|
<5> This is the identifier (SAML EntityID) that your IdP uses. It should match
|
|
|
|
the `entityID` attribute within the metadata file.
|
|
|
|
<6> This is a unique identifier for your {kib} instance, expressed as a URI.
|
|
|
|
You will use this value when you add {kib} as a service provider within your IdP.
|
|
|
|
We recommend that you use the base URL for your {kib} instance as the entity ID.
|
|
|
|
<7> The Assertion Consumer Service (ACS) endpoint is the URL within {kib} that
|
|
|
|
accepts authentication messages from the IdP. This ACS endpoint supports the
|
|
|
|
SAML HTTP-POST binding only. It must be a URL that is accessible from the web
|
|
|
|
browser of the user who is attempting to login to {kib}; it does not need to be
|
|
|
|
directly accessible by {es} or the IdP. The correct value can vary depending on
|
|
|
|
how you have installed {kib} and whether there are any proxies involved, but it
|
|
|
|
is typically +$\{kibana-url}/api/security/v1/saml+ where _$\{kibana-url}_ is the
|
|
|
|
base URL for your {kib} instance.
|
|
|
|
<8> This is the URL within {kib} that accepts logout messages from the IdP.
|
|
|
|
Like the `sp.acs` URL, it must be accessible from the web browser, but does
|
|
|
|
not need to be directly accessible by {es} or the IdP. The correct value can
|
|
|
|
vary depending on how you have installed {kib} and whether there are any
|
|
|
|
proxies involved, but it will typically be +$\{kibana-url}/logout+ where
|
|
|
|
_$\{kibana-url}_ is the base URL for your {kib} instance.
|
|
|
|
|
|
|
|
IMPORTANT: SAML is used when authenticating via {kib}, but it is not an
|
|
|
|
effective means of authenticating directly to the {es} REST API. For this reason
|
|
|
|
we recommend that you include at least one additional realm such as the
|
|
|
|
native realm in your authentication chain for use by API clients.
|
|
|
|
|
|
|
|
For more information, see
|
|
|
|
{stack-ov}/saml-guide-authentication.html#saml-create-realm[Create a SAML realm].
|
|
|
|
--
|
|
|
|
|
|
|
|
. Add attribute mappings.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
When a user connects to {kib} through the identity provider, the IdP supplies a
|
|
|
|
SAML assertion that includes attributes for the user. You can configure the SAML
|
|
|
|
realm to map these attributes to properties on the authenticated user.
|
|
|
|
|
|
|
|
The recommended steps for configuring these SAML attributes are as follows:
|
|
|
|
--
|
|
|
|
.. Consult your IdP to see what user attributes it can provide. This varies
|
|
|
|
greatly between providers, but you should be able to obtain a list from the
|
|
|
|
documentation or from your local admin.
|
|
|
|
|
|
|
|
.. Read through the list of user properties that {es} supports and decide which
|
|
|
|
of them are useful to you and can be provided by your IdP. At a minimum, the
|
|
|
|
`principal` attribute is required. The `groups` attribute is recommended.
|
|
|
|
|
|
|
|
.. Configure your IdP to release those attributes to your {kib} SAML service
|
|
|
|
provider.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
This process varies by provider - some provide a user interface for this, while
|
|
|
|
others might require that you edit configuration files. Usually the IdP (or your
|
|
|
|
local administrator) have suggestions about what URI to use for each attribute.
|
|
|
|
You can simply accept those suggestions, as the {es} service is entirely
|
|
|
|
configurable and does not require that any specific URIs are used.
|
|
|
|
--
|
|
|
|
|
|
|
|
.. Configure the SAML realm to associate the {es} user properties to the URIs
|
|
|
|
that you configured in your IdP.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
For example, add the following settings to the `elasticsearch.yml` configuration
|
|
|
|
file:
|
|
|
|
|
|
|
|
[source, yaml]
|
|
|
|
------------------------------------------------------------
|
2018-11-05 22:56:50 -05:00
|
|
|
xpack.security.authc.realms.saml.saml1:
|
2018-05-22 11:50:35 -04:00
|
|
|
...
|
|
|
|
attributes.principal: "urn:oid:0.9.2342.19200300.100.1.1"
|
|
|
|
attributes.groups: "urn:oid:1.3.6.1.4.1.5923.1.5.1."
|
|
|
|
------------------------------------------------------------
|
|
|
|
|
|
|
|
For more information, see
|
|
|
|
{stack-ov}/saml-guide-authentication.html#saml-attribute-mapping[Attribute mapping].
|
|
|
|
--
|
|
|
|
|
|
|
|
. (Optional) Configure logout services.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
The SAML protocol supports the concept of Single Logout (SLO). The level of
|
|
|
|
support for SLO varies between identity providers.
|
|
|
|
|
|
|
|
For more information, see
|
|
|
|
{stack-ov}/saml-guide-authentication.html#saml-logout[SAML logout].
|
|
|
|
--
|
|
|
|
|
|
|
|
. (Optional) Configure encryption and signing.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
The {stack} supports generating signed SAML messages (for authentication and/or
|
|
|
|
logout), verifying signed SAML messages from the IdP (for both authentication
|
|
|
|
and logout), and processing encrypted content.
|
|
|
|
|
|
|
|
You can configure {es} for signing, encryption, or both, with the same or
|
|
|
|
separate keys. For more information, see
|
|
|
|
{stack-ov}/saml-guide-authentication.html#saml-enc-sign[Encryption and signing].
|
|
|
|
--
|
|
|
|
|
|
|
|
. (Optional) Generate service provider metadata.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
There are some extra configuration steps that are specific to each identity
|
|
|
|
provider. If your identity provider can import SP metadata, some of those steps
|
|
|
|
can be automated or expedited. You can generate SP metadata for the {stack} by
|
|
|
|
using the <<saml-metadata,`elasticsearch-saml-metadata` command>>.
|
|
|
|
--
|
|
|
|
|
|
|
|
. Configure role mappings.
|
|
|
|
+
|
|
|
|
--
|
|
|
|
When a user authenticates using SAML, they are identified to the {stack},
|
|
|
|
but this does not automatically grant them access to perform any actions or
|
|
|
|
access any data.
|
|
|
|
|
2019-01-04 01:26:41 -05:00
|
|
|
Your SAML users cannot do anything until they are assigned roles. This can be done
|
|
|
|
through either the {stack-ov}/saml-role-mapping.html[role mapping API], or with
|
|
|
|
{stack-ov}/realm-chains.html#authorization_realms[authorization realms].
|
2018-08-30 23:25:27 -04:00
|
|
|
|
2019-01-11 02:22:40 -05:00
|
|
|
NOTE: You cannot use {stack-ov}/mapping-roles.html#mapping-roles-file[role mapping files]
|
2019-01-04 01:26:41 -05:00
|
|
|
to grant roles to users authenticating via SAML.
|
2018-08-30 23:25:27 -04:00
|
|
|
|
2018-05-22 11:50:35 -04:00
|
|
|
--
|
|
|
|
|
|
|
|
. {stack-ov}/saml-kibana.html[Configure {kib} to use SAML SSO].
|
|
|
|
|