Commit Graph

6 Commits

Author SHA1 Message Date
Yogesh Gaikwad 1701934dd4 SAML: Support multiple decryption keys for SP (elastic/x-pack-elasticsearch#4289)
- Changes in build SAML SP metadata to support multiple
  encryption keys.
- Changes in Saml metadata command to support the use of
   protected keystores.
- Changes to export and set proper usage type in key
   descriptors of SP saml metadata XML.
- Changes in SAML realm to create chaining key info
   credential resolver backed by Collection of encryption
   keys as per SP configuration.
- Unit tests and test enhancements

relates elastic/x-pack-elasticsearch#3980,elastic/x-pack-elasticsearch#4293

Original commit: elastic/x-pack-elasticsearch@e02ebcc9e6
2018-04-16 17:17:39 +10:00
Tim Vernum 411f683521 Document ssl.verification_mode (elastic/x-pack-elasticsearch#4253)
It is common for users to wish to adjust the verification_mode in SSL
settings, usually with the intention of skipping hostname
verification. This has been supported for a long time, but the
relevant configuration setting was not clearly documented, which would
sometimes lead users to set `verification_mode` to `none`, and disable
more checks than they intended.

This commit adds clearer documentation regarding the options available
for `verification_mode` and actively discourages the use of `none`.

Original commit: elastic/x-pack-elasticsearch@2fdf53b42f
2018-04-10 20:27:23 +10:00
Yogesh Gaikwad ed6a6af64c SAML: Make alias for signing key optional (elastic/x-pack-elasticsearch#4248)
We specify an alias for signing key, but when we just have
a single key in key store this is an additional setting which
is annoying. This PR addresses this issue by making it optional.

- Changes in SamlRealmSettings to make signing/encryption
  key alias optional
- Checks if none of the keys are useful for given operation
  signing or encryption throws an error.
- Checks for no of aliases in key-store, if more than one and alias
  is not specified throws error.
- If an alias is not specified and there is just one alias in
  keystore then use it as the credential.
- Unit Tests

Note: A side effect of this change the above-mentioned behavior is
it's also applicable for encryption keys currently, but it is going
to change when fixing elastic/x-pack-elasticsearch#3980 for supporting multiple encryption keys.

relates elastic/x-pack-elasticsearch#3981

Original commit: elastic/x-pack-elasticsearch@2b5af1d8a8
2018-04-06 10:43:35 +10:00
Ioannis Kakavas 1cc20c4c59 [DOCS] Explain possible values for IDP EntityID (elastic/x-pack-elasticsearch#3875)
Resolves elastic/x-pack-elasticsearch#3865

Original commit: elastic/x-pack-elasticsearch@9102bc1a61
2018-03-09 14:07:51 +02:00
Tim Vernum c4582cdcd0 Additional settings for SAML NameID policy (elastic/x-pack-elasticsearch#3969)
* Additional settings for SAML NameID policy

We should not be populating SPNameQualifier by default as it is
intended to be used to specify an alternate SP EntityID rather than
our own. Some IdPs (ADFS) fail when presented with this value.

This commit
- makes the SPNameQualifier a setting that defaults to blank
- adds a setting for "AllowCreate"
- documents the above

Original commit: elastic/x-pack-elasticsearch@093557e88f
2018-02-20 13:51:42 +11:00
Tim Vernum 80b5ac9562 [DOC] SAML documentation (elastic/x-pack-elasticsearch#3657)
Includes:
- docs for new realm type "saml"
- docs for new settings for SAML realms
- a guide for setting up SAML accross ES + Kibana

Original commit: elastic/x-pack-elasticsearch@85f8f6d409
2018-02-05 12:22:54 +11:00