848 lines
38 KiB
Plaintext
848 lines
38 KiB
Plaintext
[role="xpack"]
|
|
[[saml-guide]]
|
|
|
|
== Configuring SAML single-sign-on on the {stack}
|
|
|
|
The Elastic Stack supports SAML single-sign-on (SSO) into {kib}, using {es} as
|
|
a backend service. In SAML terminology, the Elastic Stack is operating as a
|
|
_Service Provider_.
|
|
|
|
The other component that is needed to enable SAML single-sign-on is the
|
|
_Identity Provider_, which is a service that handles your credentials and
|
|
performs that actual authentication of users.
|
|
|
|
If you are interested in configuring SSO into {kib}, then you will need to
|
|
provide {es} with information about your _Identity Provider_, and you will need
|
|
to register the Elastic Stack as a known _Service Provider_ within that
|
|
Identity Provider. There are also a few configuration changes that are
|
|
required in {kib} to activate the SAML authentication provider.
|
|
|
|
NOTE: The SAML support in {kib} is designed on the expectation that it will be
|
|
the primary (or sole) authentication method for users of that {kib} instance.
|
|
Once you enable SAML authentication in {kib} it will affect all users who try
|
|
to login. The <<saml-kibana>> section provides more detail about how this works.
|
|
|
|
[[saml-guide-idp]]
|
|
=== The identity provider
|
|
|
|
The Elastic Stack supports the SAML 2.0 _Web Browser SSO_ and the SAML
|
|
2.0 _Single Logout_ profiles and can integrate with any Identity Provider (IdP)
|
|
that supports at least the SAML 2.0 _Web Browser SSO Profile_.
|
|
It has been tested with a number of popular IdP implementations.
|
|
|
|
This guide assumes that you have an existing IdP and wish to add {kib} as a
|
|
Service Provider.
|
|
|
|
The Elastic Stack uses a standard SAML _metadata_ document, in XML format that
|
|
defines the capabilities and features of your IdP. You should be able to
|
|
download or generate such a document within your IdP administration interface.
|
|
|
|
Download the IdP metadata document and store it within the `config` directory on
|
|
each {es} node. For the purposes of this guide, we will assume that you are
|
|
storing it as `config/saml/idp-metadata.xml`.
|
|
|
|
The IdP will have been assigned an identifier (_EntityID_ in SAML terminology)
|
|
which is most commonly expressed in _Uniform Resource Identifier_ (URI) form.
|
|
Your admin interface may tell you what this is, or you might need to
|
|
read the metadata document to find it - look for the `entityID` attribute on the
|
|
`EntityDescriptor` element.
|
|
|
|
Most IdPs will provide an appropriate metadata file with all the features that
|
|
the Elastic Stack requires, and should only require the configuration steps
|
|
described below. For completeness sake, the minimum requirements that the Elastic
|
|
Stack has for the IdP's metadata are:
|
|
|
|
- An `<EntityDescriptor>` with an `entityID` that matches the {es}
|
|
<<saml-create-realm, configuration>>
|
|
- An `<IDPSSODescriptor>` that supports the SAML 2.0 protocol
|
|
(`urn:oasis:names:tc:SAML:2.0:protocol`).
|
|
- At least one `<KeyDescriptor>` that is configured for _signing_ (that is, it
|
|
has `use="signing"` or leaves the `use` unspecified)
|
|
- A `<SingleSignOnService>` with binding of HTTP-Redirect
|
|
(`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`)
|
|
- If you wish to support <<saml-logout, Single Logout>>, a `<SingleLogoutService>`
|
|
with binding of HTTP-Redirect
|
|
(`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`)
|
|
|
|
The Elastic Stack requires that all messages from the IdP are signed.
|
|
For authentication `<Response>` messages, the signature may be applied to either
|
|
the response itself, or to the individual assertions.
|
|
For `<LogoutRequest>` messages, the message itself must be signed, and the
|
|
signature should be provided as a URL parameter, as required by the HTTP-Redirect
|
|
binding.
|
|
|
|
[[saml-guide-authentication]]
|
|
=== Configure {es} for SAML authentication
|
|
|
|
There are five configuration steps to enable SAML authentication in {es}:
|
|
|
|
. <<saml-enable-http,Enable SSL/TLS for HTTP>>
|
|
. <<saml-enable-token,Enable the Token Service>>
|
|
. <<saml-create-realm,Create one or more SAML realms>>
|
|
. <<saml-role-mapping,Configure role mappings>>
|
|
. Generate a SAML Metadata file for use by your Identity Provider _(optional)_
|
|
|
|
[[saml-enable-http]]
|
|
==== Enable TLS for HTTP
|
|
|
|
If your {es} cluster is operating in production mode, then you must
|
|
configure the HTTP interface to use SSL/TLS before you can enable SAML
|
|
authentication.
|
|
|
|
For more information, see
|
|
{ref}/configuring-tls.html#tls-http[Encrypting HTTP Client Communications].
|
|
|
|
[[saml-enable-token]]
|
|
==== Enable the token service
|
|
|
|
The {es} SAML implementation makes use of the {es} Token Service. This service
|
|
is automatically enabled if you configure TLS on the HTTP interface, and can be
|
|
explicitly configured by including the following in your `elasticsearch.yml` file:
|
|
|
|
[source, yaml]
|
|
------------------------------------------------------------
|
|
xpack.security.authc.token.enabled: true
|
|
------------------------------------------------------------
|
|
|
|
[[saml-create-realm]]
|
|
==== Create a SAML realm
|
|
|
|
SAML authentication is enabled by configuring a SAML realm within the
|
|
authentication chain for {es}.
|
|
|
|
This realm has a few mandatory settings, and a number of optional settings.
|
|
The available settings are described in detail in the
|
|
<<saml-settings, SAML realm documentation>>, this guide will walk you through
|
|
the most common settings.
|
|
|
|
Create a realm by adding the following to your `elasticsearch.yml`
|
|
configuration file. Each configuration value is explained below.
|
|
|
|
[source, yaml]
|
|
------------------------------------------------------------
|
|
xpack.security.authc.realms.saml.saml1:
|
|
order: 2
|
|
idp.metadata.path: saml/idp-metadata.xml
|
|
idp.entity_id: "https://sso.example.com/"
|
|
sp.entity_id: "https://kibana.example.com/"
|
|
sp.acs: "https://kibana.example.com/api/security/v1/saml"
|
|
sp.logout: "https://kibana.example.com/logout"
|
|
attributes.principal: "urn:oid:0.9.2342.19200300.100.1.1"
|
|
attributes.groups: "urn:oid:1.3.6.1.4.1.5923.1.5.1."
|
|
------------------------------------------------------------
|
|
|
|
IMPORTANT: SAML is used when authenticating via {kib}, but it is not an
|
|
effective means of authenticating directly to the {es} REST API. For this reason
|
|
we recommend that you include at least one additional realm such as the
|
|
<<native-realm, native realm>> in your authentication chain for use by API
|
|
clients.
|
|
|
|
The configuration values used in the example above are:
|
|
|
|
xpack.security.authc.realms.saml.saml1::
|
|
This defines a new `saml` authentication realm named "saml1".
|
|
See <<realms>> for more explanation of realms.
|
|
|
|
order::
|
|
You should define a unique order on each realm in your authentication chain.
|
|
It is recommended that the SAML realm be at the bottom of your authentication
|
|
chain (that is, that it has the _highest_ order).
|
|
|
|
idp.metadata.path::
|
|
This is the path to the metadata file that you saved for your Identity Provider.
|
|
The path that you enter here is relative to your `config/` directory.
|
|
{es} will automatically monitor this file for changes and will
|
|
reload the configuration whenever it is updated.
|
|
|
|
idp.entity_id::
|
|
This is the identifier (SAML EntityID) that your IdP uses.
|
|
It should match the `entityID` attribute within the metadata file.
|
|
|
|
sp.entity_id::
|
|
This is a unique identifier for your {kib} instance, expressed as a URI.
|
|
You will use this value when you add {kib} as a service provider within your IdP.
|
|
We recommend that you use the base URL for your {kib} instance as the entity ID.
|
|
|
|
sp.acs::
|
|
The _Assertion Consumer Service_ (ACS) endpoint is the URL within {kib} that accepts
|
|
authentication messages from the IdP.
|
|
This ACS endpoint supports the SAML HTTP-POST binding only.
|
|
It must be a URL that is accessible from the web browser of the user who is
|
|
attempting to login to {kib}, it does not need to be directly accessible by {es}
|
|
or the IdP.
|
|
The correct value may vary depending on how you have installed {kib} and
|
|
whether there are any proxies involved, but it will typically be
|
|
+$\{kibana-url}/api/security/v1/saml+ where _$\{kibana-url}_ is the base URL for
|
|
your {kib} instance.
|
|
|
|
sp.logout::
|
|
This is the URL within {kib} that accepts logout messages from the IdP.
|
|
Like the `sp.acs` URL, it must be accessible from the web browser, but does
|
|
not need to be directly accessible by {es} or the IdP. The correct value may
|
|
vary depending on how you have installed {kib} and whether there are any
|
|
proxies involved, but it will typically be +$\{kibana-url}/logout+ where
|
|
_$\{kibana-url}_ is the base URL for your {kib} instance.
|
|
|
|
attribute.principal:: See <<saml-attribute-mapping>>.
|
|
attribute.groups:: See <<saml-attribute-mapping>>.
|
|
|
|
[[saml-attribute-mapping]]
|
|
==== Attribute mapping
|
|
|
|
When a user connects to {kib} through your Identity Provider, the Identity
|
|
Provider will supply a SAML Assertion about the user. The assertion will contain
|
|
an _Authentication Statement_ indicating that the user has successfully
|
|
authenticated to the IdP and one or more _Attribute Statements_ that will
|
|
include _Attributes_ for the user.
|
|
|
|
These attributes may include such things as:
|
|
|
|
- the user's username
|
|
- the user's email address
|
|
- the user's groups or roles
|
|
|
|
Attributes in SAML are named using a URI such as
|
|
`urn:oid:0.9.2342.19200300.100.1.1` or
|
|
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn`, and have one or
|
|
more values associated with them.
|
|
|
|
These attribute identifiers vary between IdPs, and most IdPs offer ways to
|
|
customize the URIs and their associated value.
|
|
|
|
{es} uses these attributes to infer information about the user who has
|
|
logged in, and they can be used for role mapping (below).
|
|
|
|
In order for these attributes to be useful, {es} and the IdP need to have a
|
|
common value for the names of the attributes. This is done manually, by
|
|
configuring the IdP and the SAML realm to use the same URI name for
|
|
each logical user attribute.
|
|
|
|
The recommended steps for configuring these SAML attributes are as follows:
|
|
|
|
. Consult your IdP to see what user attributes it can provide.
|
|
This varies greatly between providers, but you should be able to obtain a list
|
|
from the documentation, or from your local admin.
|
|
|
|
. Read through the list of <<saml-user-properties, user properties>> that {es}
|
|
supports, and decide which of them are useful to you, and can be provided by
|
|
your IdP. At a _minimum_, the `principal` attribute is required.
|
|
|
|
. Configure your IdP to "release" those attributes to your {kib} SAML service
|
|
provider. This process varies by provider - some will provide a user interface
|
|
for this, while others may require that you edit configuration files.
|
|
Usually the IdP (or your local administrator) will have suggestions about what
|
|
URI to use for each attribute. You can simply accept those suggestions, as the
|
|
{es} service is entirely configurable and does not require that any specific
|
|
URIs are used.
|
|
|
|
. Configure the SAML realm in {es} to associate the {es} user properties (see
|
|
<<saml-user-properties, the listing>> below), to the URIs that you configured
|
|
in your IdP. In the example above, we have configured the `principal` and
|
|
`groups` attributes.
|
|
|
|
===== Special attribute names
|
|
|
|
In general, {es} expects that the configured value for an attribute will be a
|
|
URI such as `urn:oid:0.9.2342.19200300.100.1.1`, however there are some
|
|
additional names that can be used:
|
|
|
|
`nameid`::
|
|
This uses the SAML `NamedID` value instead of a SAML attribute. SAML
|
|
`NameID` elements are an optional, but frequently provided, field within a
|
|
SAML Assertion that the IdP may use to identify the Subject of that
|
|
Assertion. In some cases the `NameID` will relate to the user's login
|
|
identifier (username) within the IdP, but in many cases they will be
|
|
internally generated identifiers that have no obvious meaning outside
|
|
of the IdP.
|
|
|
|
`nameid:persistent`::
|
|
This uses the SAML `NameID` value, but only if the NameID format is
|
|
`urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`.
|
|
A SAML `NameID` element has an optional `Format` attribute that indicates
|
|
the semantics of the provided name. It is common for IdPs to be configured
|
|
with "transient" NameIDs that present a new identifier for each session.
|
|
Since it is rarely useful to use a transient NameID as part of an attribute
|
|
mapping, the "nameid:persistent" attribute name can be used as a safety
|
|
mechanism that will cause an error if you attempt to map from a `NameID`
|
|
that does not have a persistent value.
|
|
|
|
_friendlyName_::
|
|
A SAML attribute may have a _friendlyName_ in addition to its URI based name.
|
|
For example the attribute with a name of `urn:oid:0.9.2342.19200300.100.1.1`
|
|
might also have a friendlyName of `uid`.
|
|
You may use these friendly names within an attribute mapping, but it is
|
|
recommended that you use the URI based names, as friendlyNames are neither
|
|
standardized or mandatory.
|
|
|
|
The example below configures a realm to use a persistent nameid for the principal,
|
|
and the attribute with the friendlyName "roles" for the user's groups.
|
|
|
|
[source, yaml]
|
|
------------------------------------------------------------
|
|
xpack.security.authc.realms.saml.saml1:
|
|
order: 2
|
|
idp.metadata.path: saml/idp-metadata.xml
|
|
idp.entity_id: "https://sso.example.com/"
|
|
sp.entity_id: "https://kibana.example.com/"
|
|
sp.acs: "https://kibana.example.com/api/security/v1/saml"
|
|
attributes.principal: "nameid:persistent"
|
|
attributes.groups: "roles"
|
|
------------------------------------------------------------
|
|
|
|
[[saml-user-properties]]
|
|
===== {es} user properties
|
|
|
|
The {es} SAML realm can be configured to map SAML `attributes` to the
|
|
following properties on the authenticated user:
|
|
|
|
principal:: _(Required)_
|
|
This is the _username_ that will be applied to a user that authenticates
|
|
against this realm.
|
|
The `principal` appears in places such as the {es} audit logs.
|
|
|
|
groups:: _(Recommended)_
|
|
If you wish to use your IdP's concept of groups or roles as the basis for a
|
|
user's {es} privileges, you should map them with this attribute.
|
|
The `groups` are passed directly to your
|
|
<<saml-role-mapping, role mapping rules>>
|
|
|
|
name:: _(Optional)_ The user's full name.
|
|
mail:: _(Optional)_ The user's email address.
|
|
dn:: _(Optional)_ The user's X.500 _Distinguished Name_.
|
|
|
|
===== Extracting partial values from SAML attributes
|
|
|
|
There are some occasions where the IdP's attribute may contain more information
|
|
than you wish to use within {es}. A common example of this is one where the
|
|
IdP works exclusively with email addresses, but you would like the user's
|
|
`principal` to use the _local-name_ part of the email address.
|
|
For example if their email address was `james.wong@staff.example.com`, then you
|
|
would like their principal to simply be `james.wong`.
|
|
|
|
This can be achieved using the `attribute_patterns` setting in the {es}
|
|
realm, as demonstrated in the realm configuration below:
|
|
|
|
[source, yaml]
|
|
------------------------------------------------------------
|
|
xpack.security.authc.realms.saml.saml1:
|
|
order: 2
|
|
idp.metadata.path: saml/idp-metadata.xml
|
|
idp.entity_id: "https://sso.example.com/"
|
|
sp.entity_id: "https://kibana.example.com/"
|
|
sp.acs: "https://kibana.example.com/api/security/v1/saml"
|
|
attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
|
|
attribute_patterns.principal: "^([^@]+)@staff\\.example\\.com$"
|
|
------------------------------------------------------------
|
|
|
|
In this case, the user's `principal` is mapped from an email attribute, but a
|
|
regular expression is applied to the value before it is assigned to the user.
|
|
If the regular expression matches, then the result of the first group is used as
|
|
effective value. If the regular expression does not match then the attribute
|
|
mapping fails.
|
|
|
|
In this example, the email address must belong to the `staff.example.com` domain,
|
|
and then the local-part (anything before the `@`) is used as the principal.
|
|
Any users who try to login using a different email domain will fail because the
|
|
regular expression will not match against their email address, and thus their
|
|
principal attribute - which is mandatory - will not be populated.
|
|
|
|
IMPORTANT: Small mistakes in these regular expressions can have significant
|
|
security consequences. For example, if we accidentally left off the trailing
|
|
`$` from the example above, then we would match any email address where the
|
|
domain starts with `staff.example.com`, and this would accept an email
|
|
address such as `admin@staff.example.com.attacker.net`. It is important that
|
|
you make sure your regular expressions are as precise as possible so that
|
|
you do not inadvertently open an avenue for user impersonation attacks.
|
|
|
|
[[req-authn-context]]
|
|
==== Requesting specific authentication methods
|
|
|
|
It is sometimes necessary for a SAML SP to be able to impose specific
|
|
restrictions regarding the authentication that will take place at an IdP,
|
|
in order to assess the level of confidence that it can place in
|
|
the corresponding authentication response. The restrictions might have to do
|
|
with the authentication method (password, client certificates, etc), the
|
|
user identification method during registration, and other details. {es} implements
|
|
https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf[SAML 2.0 Authentication Context], which can be used for this purpose as defined in SAML 2.0 Core
|
|
Specification.
|
|
|
|
In short, the SAML SP defines a set of Authentication Context Class Reference
|
|
values, which describe the restrictions to be imposed on the IdP, and sends these
|
|
in the Authentication Request. The IdP attempts to grant these restrictions.
|
|
If it cannot grant them, the authentication attempt fails. If the user is
|
|
successfully authenticated, the Authentication Statement of the SAML Response
|
|
contains an indication of the restrictions that were satisfied.
|
|
|
|
You can define the Authentication Context Class Reference values by using the `req_authn_context_class_ref` option in the SAML realm configuration. See
|
|
{ref}/security-settings.html#ref-saml-settings[SAML realm settings].
|
|
|
|
{es} supports only the `exact` comparison method for the Authentication Context.
|
|
When it receives the Authentication Response from the IdP, {es} examines the
|
|
value of the Authentication Context Class Reference that is part of the
|
|
Authentication Statement of the SAML Assertion. If it matches one of the
|
|
requested values, the authentication is considered successful. Otherwise, the
|
|
authentication attempt fails.
|
|
|
|
[[saml-logout]]
|
|
==== SAML logout
|
|
|
|
The SAML protocol supports the concept of Single Logout (SLO).
|
|
The level of support for SLO varies between Identity Providers.
|
|
You should consult the documentation for your IdP to determine what Logout
|
|
services it offers.
|
|
|
|
By default the Elastic Stack will support SAML SLO if the following are true:
|
|
|
|
- Your IdP metadata specifies that the IdP offers a SLO service
|
|
- You configure `sp.logout`
|
|
- The setting `idp.use_single_logout` is not `false`
|
|
|
|
===== IdP SLO service
|
|
|
|
One of the values that {es} reads from the IdP's SAML metadata is the
|
|
`<SingleLogoutService>`. In order for Single Logout to work with the Elastic
|
|
stack, {es} requires that this exist and support a binding of
|
|
`urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect`.
|
|
|
|
The Elastic Stack will send both `<LogoutRequest>` and `<LogoutResponse>`
|
|
messages to this service as appropriate.
|
|
|
|
===== The sp.logout setting
|
|
|
|
The {es} realm setting `sp.logout` specifies a URL in {kib} to which the IdP can
|
|
send both `<LogoutRequest>` and `<LogoutResponse>` messages. This service uses
|
|
the SAML HTTP-Redirect binding.
|
|
|
|
{es} will process `<LogoutRequest>` messages, and perform a global signout that
|
|
invalidates any existing {es} security tokens that are associated with the
|
|
provided SAML session.
|
|
|
|
If you do not configure a value for `sp.logout`, {es} will refuse all
|
|
`<LogoutRequest>` messages.
|
|
|
|
NOTE: It is common for IdPs to require that `LogoutRequest` messages be signed,
|
|
so you may need to configure <<saml-enc-sign,signing credentials>>.
|
|
|
|
===== The idp.use_single_logout setting
|
|
|
|
If your IdP provides a `<SingleLogoutService>` but you do not wish to use it,
|
|
you can configure `idp.use_single_logout: false` in your SAML realm, and {es}
|
|
will ignore the SLO service that your IdP provides. In this case, when a user
|
|
logs out of {kib} it will invalidate their {es} session (security token), but
|
|
will not perform any logout at the IdP.
|
|
|
|
===== Using {kib} without single logout
|
|
|
|
If your IdP does not support Single Logout, or you choose not to use it, then
|
|
{kib} will perform a "local logout" only.
|
|
|
|
This means that {kib} will invalidate the session token it is using to
|
|
communicate with {es}, but will not be able to perform any sort of invalidation
|
|
of the Identity Provider session. In most cases this will mean that {kib} users
|
|
are still considered to be logged in to the IdP. Consequently, if the user
|
|
navigates to the {kib} landing page, they will be automatically reauthenticated,
|
|
and will commence a new {kib} session without needing to enter any credentials.
|
|
|
|
The possible solutions to this problem are:
|
|
|
|
- Ask your IdP administrator or vendor to provide a Single Logout service
|
|
- If your Idp does provide a Single Logout Service, make sure it is included in
|
|
the IdP metadata file, and do _not_ set `idp.use_single_logout` to `false`.
|
|
- Advise your users to close their browser after logging out of {kib}
|
|
- Enable the `force_authn` setting on your SAML realm. This setting causes the
|
|
Elastic Stack to request fresh authentication from the IdP every time a user
|
|
attempts to log into {kib}.
|
|
This setting defaults to `false` because it can be a more cumbersome user
|
|
experience, but it can also be an effective protection to stop users
|
|
piggy-backing on existing IdP sessions.
|
|
|
|
|
|
[[saml-enc-sign]]
|
|
==== Encryption and signing
|
|
|
|
The Elastic Stack supports generating signed SAML messages (for authentication
|
|
and/or logout), verifying signed SAML messages from the IdP (for both
|
|
authentication and logout) and can process encrypted content.
|
|
|
|
You can configure {es} for signing, encryption or both, with the same
|
|
or separate keys used for each of those.
|
|
|
|
The Elastic Stack uses X.509 certificates with RSA private keys for SAML
|
|
cryptography. These keys can be generated using any standard SSL tool, including
|
|
the `elasticsearch-certutil` tool.
|
|
|
|
Your IdP may require that the Elastic Stack have a cryptographic key for signing
|
|
SAML messages, and that you provide the corresponding signing certificate within
|
|
the Service Provider configuration (either within the Elastic Stack SAML
|
|
metadata file or manually configured within the IdP administration interface).
|
|
While most IdPs do not expected authentication requests to be signed, it is
|
|
commonly the case that signatures are required for logout requests. Your IdP
|
|
will validate these signatures against the signing certificate that has been
|
|
configured for the Elastic Stack Service Provider.
|
|
|
|
Encryption certificates are rarely needed, but the Elastic Stack supports them
|
|
for cases where IdPs or local policies mandate their use.
|
|
|
|
===== Generating certificates and keys
|
|
|
|
{es} supports certificates and keys in either PEM, PKCS#12 or JKS format.
|
|
Some Identity Providers are more restrictive in the formats they support, and
|
|
will require you to provide the certificates as a file in a particular format.
|
|
You should consult the documentation for your IdP to determine what formats they
|
|
support. Since PEM format is the most commonly supported format, the examples
|
|
below will generate certificates in that format.
|
|
|
|
Using the {ref}/certutil.html[`elasticsearch-certutil`] tool, you can generate a
|
|
signing certificate with the following command:
|
|
|
|
[source, sh]
|
|
--------------------------------------------------
|
|
bin/elasticsearch-certutil cert -pem -days 1100 -name saml-sign -out saml-sign.zip
|
|
--------------------------------------------------
|
|
|
|
This will
|
|
|
|
- generate a certificate and key pair (the `cert` subcommand)
|
|
- create the files in PEM format (`-pem` option)
|
|
- generate a certificate that is valid for 3 years (`-days 1100`)
|
|
- name the certificate `saml-sign` (`-name` option)
|
|
- save the certificate and key in the `saml-sign.zip` file (`-out` option)
|
|
|
|
The generated zip archive will contain 3 files:
|
|
|
|
- `saml-sign.crt`, the public certificate to be used for signing
|
|
- `saml-sign.key`, the private key for the certificate
|
|
- `ca.crt`, a CA certificate that is not need, and can be ignored.
|
|
|
|
Encryption certificates can be generated with the same process.
|
|
|
|
===== Configuring {es} for signing
|
|
|
|
By default, {es} will sign _all_ outgoing SAML messages if a signing
|
|
key has been configured.
|
|
|
|
If you wish to use *PEM formatted* keys and certificates for signing, then
|
|
you should configure the following settings on the SAML realm:
|
|
|
|
`signing.certificate`::
|
|
The path to the PEM formatted certificate file. e.g. `saml/saml-sign.crt`
|
|
|
|
`signing.key`::
|
|
The path to the PEM formatted key file. e.g. `saml/saml-sign.key`
|
|
|
|
`signing.secure_key_passphrase`::
|
|
The passphrase for the key, if the file is encrypted. This is a
|
|
{ref}/secure-settings.html[secure setting] that must be set with the
|
|
`elasticsearch-keystore` tool.
|
|
|
|
If you wish to use *PKCS#12 formatted* files or a *Java Keystore* for
|
|
signing, then you should configure the following settings on the SAML realm:
|
|
|
|
`signing.keystore.path`::
|
|
The path to the PKCS#12 or JKS keystore. e.g. `saml/saml-sign.p12`
|
|
|
|
`signing.keystore.alias`::
|
|
The alias of the key within the keystore. e.g. `signing-key`
|
|
|
|
`signing.keystore.secure_password`::
|
|
The passphrase for the keystore, if the file is encrypted. This is a
|
|
{ref}/secure-settings.html[secure setting] that must be set with the
|
|
`elasticsearch-keystore` tool.
|
|
|
|
If you wish to sign some, but not all outgoing *SAML messages*, then you
|
|
should configure the following setting on the SAML realm:
|
|
|
|
`signing.saml_messages`::
|
|
A list of message types to sign. A message type is identified by the
|
|
_local name_ of the XML element used for the message. Supported values
|
|
are: `AuthnRequest`, `LogoutRequest` and `LogoutResponse`.
|
|
|
|
===== Configuring {es} for encrypted messages
|
|
|
|
The {es} {security-features} support a single key for message decryption. If a
|
|
key is configured, then {es} attempts to use it to decrypt
|
|
`EncryptedAssertion` and `EncryptedAttribute` elements in Authentication
|
|
responses, and `EncryptedID` elements in Logout requests.
|
|
|
|
{es} rejects any SAML message that contains an `EncryptedAssertion`
|
|
that cannot be decrypted.
|
|
|
|
If an `Assertion` contains both encrypted and plain-text attributes, then
|
|
failure to decrypt the encrypted attributes will not cause an automatic
|
|
rejection. Rather, {es} processes the available plain-text attributes
|
|
(and any `EncryptedAttributes` that could be decrypted).
|
|
|
|
If you wish to use *PEM formatted* keys and certificates for SAML encryption,
|
|
then you should configure the following settings on the SAML realm:
|
|
|
|
`encryption.certificate`::
|
|
The path to the PEM formatted certificate file. e.g. `saml/saml-crypt.crt`
|
|
|
|
`encryption.key`::
|
|
The path to the PEM formatted key file. e.g. `saml/saml-crypt.key`
|
|
|
|
`encryption.secure_key_passphrase`::
|
|
The passphrase for the key, if the file is encrypted. This is a
|
|
{ref}/secure-settings.html[secure setting] that must be set with the
|
|
`elasticsearch-keystore` tool.
|
|
|
|
If you wish to use *PKCS#12 formatted* files or a *Java Keystore* for SAML
|
|
encryption, then you should configure the following settings on the SAML realm:
|
|
|
|
`encryption.keystore.path`::
|
|
The path to the PKCS#12 or JKS keystore. e.g. `saml/saml-crypt.p12`
|
|
|
|
`encryption.keystore.alias`::
|
|
The alias of the key within the keystore. e.g. `encryption-key`
|
|
|
|
`encryption.keystore.secure_password`::
|
|
The passphrase for the keystore, if the file is encrypted. This is a
|
|
{ref}/secure-settings.html[secure setting] that must be set with the
|
|
`elasticsearch-keystore` tool.
|
|
|
|
[[saml-sp-metadata]]
|
|
=== Generating SP metadata
|
|
|
|
Some Identity Providers support importing a metadata file from the Service
|
|
Provider. This will automatically configure many of the integration options
|
|
between the IdP and the SP.
|
|
|
|
The Elastic Stack supports generating such a metadata file using the
|
|
`bin/elasticsearch-saml-metadata` command in your {es} directory.
|
|
|
|
The {ref}/saml-metadata.html[documentation for the elasticsearch-saml-metadata utility]
|
|
describes how to run it, and the available command line options.
|
|
|
|
[[saml-role-mapping]]
|
|
=== Configuring role mappings
|
|
|
|
When a user authenticates using SAML, they are identified to the Elastic Stack,
|
|
but this does not automatically grant them access to perform any actions or
|
|
access any data.
|
|
|
|
Your SAML users cannot do anything until they are assigned roles. This can be done
|
|
through either the
|
|
{ref}/security-api-put-role-mapping.html[add role mapping API], or with
|
|
<<authorization_realms, authorization realms>>.
|
|
|
|
NOTE: You cannot use {stack-ov}/mapping-roles.html#mapping-roles-file[role mapping files]
|
|
to grant roles to users authenticating via SAML.
|
|
|
|
This is an example of a simple role mapping that grants the `kibana_user` role
|
|
to any user who authenticates against the `saml1` realm:
|
|
|
|
[source,console]
|
|
--------------------------------------------------
|
|
PUT /_security/role_mapping/saml-kibana
|
|
{
|
|
"roles": [ "kibana_user" ],
|
|
"enabled": true,
|
|
"rules": {
|
|
"field": { "realm.name": "saml1" }
|
|
}
|
|
}
|
|
--------------------------------------------------
|
|
|
|
|
|
The attributes that are mapped via the realm configuration are used to process
|
|
role mapping rules, and these rules determine which roles a user is granted.
|
|
|
|
The user fields that are provided to the role
|
|
mapping are derived from the SAML attributes as follows:
|
|
|
|
- `username`: The `principal` attribute
|
|
- `dn`: The `dn` attribute
|
|
- `groups`: The `groups` attribute
|
|
- `metadata`: See <<saml-user-metadata>>
|
|
|
|
For more information, see <<mapping-roles>> and
|
|
{ref}/security-api.html#security-role-mapping-apis[role mapping APIs].
|
|
|
|
If your IdP has the ability to provide groups or roles to Service Providers,
|
|
then you should map this SAML attribute to the `attributes.groups` setting in
|
|
the {es} realm, and then make use of it in a role mapping as per the example
|
|
below.
|
|
|
|
This mapping grants the {es} `finance_data` role, to any users who authenticate
|
|
via the `saml1` realm with the `finance-team` group.
|
|
|
|
[source,console]
|
|
--------------------------------------------------
|
|
PUT /_security/role_mapping/saml-finance
|
|
{
|
|
"roles": [ "finance_data" ],
|
|
"enabled": true,
|
|
"rules": { "all": [
|
|
{ "field": { "realm.name": "saml1" } },
|
|
{ "field": { "groups": "finance-team" } }
|
|
] }
|
|
}
|
|
--------------------------------------------------
|
|
|
|
If your users also exist in a repository that can be directly accessed by {es}
|
|
(such as an LDAP directory) then you can use
|
|
<<authorization_realms, authorization realms>> instead of role mappings.
|
|
|
|
In this case, you perform the following steps:
|
|
1. In your SAML realm, assigned a SAML attribute to act as the lookup userid,
|
|
by configuring the `attributes.principal` setting.
|
|
2. Create a new realm that can lookup users from your local repository (e.g. an
|
|
`ldap` realm)
|
|
3. In your SAML realm, set `authorization_realms` to the name of the realm you
|
|
created in step 2.
|
|
|
|
[[saml-user-metadata]]
|
|
=== User metadata
|
|
|
|
By default users who authenticate via SAML will have some additional metadata
|
|
fields.
|
|
|
|
- `saml_nameid` will be set to the value of the `NameID` element in the SAML
|
|
authentication response
|
|
- `saml_nameid_format` will be set to the full URI of the NameID's `format`
|
|
attribute
|
|
- Every SAML Attribute that is provided in the authentication response
|
|
(regardless of whether it is mapped to an {es} user property), will be added
|
|
as the metadata field `saml(name)` where "name" is the full URI name of the
|
|
attribute. For example `saml(urn:oid:0.9.2342.19200300.100.1.3)`.
|
|
- For every SAML Attribute that has a _friendlyName_, will also be added as the
|
|
metadata field `saml_friendlyName` where "name" is the full URI name of the
|
|
attribute. For example `saml_mail`.
|
|
|
|
This behaviour can be disabled by adding `populate_user_metadata: false` to as
|
|
a setting in the saml realm.
|
|
|
|
[[saml-kibana]]
|
|
=== Configuring {kib}
|
|
|
|
SAML authentication in {kib} requires a small number of additional settings
|
|
in addition to the standard {kib} security configuration. The
|
|
{kibana-ref}/using-kibana-with-security.html[{kib} security documentation]
|
|
provides details on the available configuration options that you can apply.
|
|
|
|
In particular, since your {es} nodes have been configured to use TLS on the HTTP
|
|
interface, you must configure {kib} to use a `https` URL to connect to {es}, and
|
|
you may need to configure `elasticsearch.ssl.certificateAuthorities` to trust
|
|
the certificates that {es} has been configured to use.
|
|
|
|
SAML authentication in {kib} is also subject to the
|
|
`xpack.security.sessionTimeout` setting that is described in the {kib} security
|
|
documentation, and you may wish to adjust this timeout to meet your local needs.
|
|
|
|
The three additional settings that are required for SAML support are shown below:
|
|
|
|
[source, yaml]
|
|
------------------------------------------------------------
|
|
xpack.security.authc.providers: [saml]
|
|
xpack.security.authc.saml.realm: saml1
|
|
server.xsrf.whitelist: [/api/security/v1/saml]
|
|
------------------------------------------------------------
|
|
|
|
The configuration values used in the example above are:
|
|
|
|
`xpack.security.authc.providers`::
|
|
Set this to `[ saml ]` to instruct {kib} to use SAML SSO as the authentication
|
|
method.
|
|
|
|
`xpack.security.authc.saml.realm`::
|
|
Set this to the name of the SAML realm that you have used in your <<saml-create-realm,
|
|
Elasticsearch realm configuration>>, for instance: `saml1`
|
|
|
|
`server.xsrf.whitelist`::
|
|
{kib} has in-built protection against _Cross Site Request Forgery_ attacks which
|
|
are designed to prevent the {kib} server from processing requests that
|
|
originated from outside the {kib} application.
|
|
In order to support SAML authentication messages that originate from your
|
|
Identity Provider, we need to explicitly _whitelist_ the SAML authentication URL
|
|
within {kib}, so that the {kib} server will not reject these external messages.
|
|
|
|
[[saml-kibana-basic]]
|
|
==== Supporting SAML and basic authentication in {kib}
|
|
|
|
The SAML support in {kib} is designed on the expectation that it will be the
|
|
primary (or sole) authentication method for users of that {kib} instance.
|
|
However, it is possible to support both SAML and Basic authentication within a
|
|
single {kib} instance by setting `xpack.security.authc.providers` as per the
|
|
example below:
|
|
|
|
[source, yaml]
|
|
------------------------------------------------------------
|
|
xpack.security.authc.providers: [saml, basic]
|
|
------------------------------------------------------------
|
|
|
|
The order is important - this will _initiate_ SAML authentication for
|
|
unauthenticated users, but will _accept_ basic authentication.
|
|
|
|
If {kib} is configured in this way, then users who wish to login with a
|
|
username and password, can do so by directly accessing the `/login` page in
|
|
{kib}. This login will not use SAML credentials, and will rely on one of the
|
|
other security realms within {es}. Only users who have a username and password
|
|
for a configured {es} authentication realm will be able to login via this page.
|
|
|
|
Alternatively, when the `basic` authentication provider is enabled, you can
|
|
place a reverse proxy in front of {kib}, and configure it to send a basic
|
|
authentication header (`Authorization: Basic ....`) for each request.
|
|
If this header is present and valid, {kib} will not initiate the SAML
|
|
authentication process.
|
|
|
|
==== Operating multiple {kib} instances
|
|
|
|
If you wish to have multiple {kib} instances that authenticate against the same
|
|
{es} cluster, then each {kib} instance that is configured for SAML authentication,
|
|
requires its own SAML realm.
|
|
|
|
Each SAML realm must have its own unique Entity ID (`sp.entity_id`), and its own
|
|
_Assertion Consumer Service_ (`sp.acs`). Each {kib} instance will be mapped to
|
|
the correct realm by looking up the matching `sp.acs` value.
|
|
|
|
These realms may use the same Identity Provider, but are not required to.
|
|
|
|
The following is example of having 3 difference {kib} instances, 2 of which
|
|
use the same internal IdP, and another which uses a different IdP.
|
|
|
|
[source, yaml]
|
|
------------------------------------------------------------
|
|
xpack.security.authc.realms.saml.saml_finance:
|
|
order: 2
|
|
idp.metadata.path: saml/idp-metadata.xml
|
|
idp.entity_id: "https://sso.example.com/"
|
|
sp.entity_id: "https://kibana.finance.example.com/"
|
|
sp.acs: "https://kibana.finance.example.com/api/security/v1/saml"
|
|
sp.logout: "https://kibana.finance.example.com/logout"
|
|
attributes.principal: "urn:oid:0.9.2342.19200300.100.1.1"
|
|
attributes.groups: "urn:oid:1.3.6.1.4.1.5923.1.5.1."
|
|
xpack.security.authc.realms.saml.saml_sales:
|
|
order: 3
|
|
idp.metadata.path: saml/idp-metadata.xml
|
|
idp.entity_id: "https://sso.example.com/"
|
|
sp.entity_id: "https://kibana.sales.example.com/"
|
|
sp.acs: "https://kibana.sales.example.com/api/security/v1/saml"
|
|
sp.logout: "https://kibana.sales.example.com/logout"
|
|
attributes.principal: "urn:oid:0.9.2342.19200300.100.1.1"
|
|
attributes.groups: "urn:oid:1.3.6.1.4.1.5923.1.5.1."
|
|
xpack.security.authc.realms.saml.saml_eng:
|
|
order: 4
|
|
idp.metadata.path: saml/idp-external.xml
|
|
idp.entity_id: "https://engineering.sso.example.net/"
|
|
sp.entity_id: "https://kibana.engineering.example.com/"
|
|
sp.acs: "https://kibana.engineering.example.com/api/security/v1/saml"
|
|
sp.logout: "https://kibana.engineering.example.com/logout"
|
|
attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"
|
|
------------------------------------------------------------
|
|
|
|
It is possible to have one or more {kib} instances that use SAML, while other
|
|
instances use basic authentication against another realm type (e.g.
|
|
<<native-realm, Native>> or <<ldap-realm, LDAP>>).
|
|
|
|
=== Troubleshooting SAML Realm Configuration
|
|
|
|
The SAML 2.0 specification offers a lot of options and flexibility for the implementers
|
|
of the standard which in turn adds to the complexity and the number of configuration options
|
|
that are available both at the Service Provider (Elastic Stack) and at the Identity Provider.
|
|
Additionally, different security domains have different security requirements that need
|
|
specific configuration to be satisfied.
|
|
A conscious effort has been made to mask this complexity with sane defaults and the detailed
|
|
documentation above but in case you encounter issues while configuring a SAML realm, you can
|
|
look through our {stack-ov}/trb-security-saml.html[SAML troubleshooting documentation] that has
|
|
suggestions and resolutions for common issues.
|