73 lines
3.1 KiB
Plaintext
73 lines
3.1 KiB
Plaintext
[role="xpack"]
|
|
[[realms]]
|
|
=== Realms
|
|
|
|
Authentication in the {stack} {security-features} is handled by one or more
|
|
authentication services called _realms_. A _realm_ is used to resolve and
|
|
authenticate users based on authentication tokens. The {security-features}
|
|
provide the following built-in realms:
|
|
|
|
_native_::
|
|
An internal realm where users are stored in a dedicated {es} index.
|
|
This realm supports an authentication token in the form of username and password,
|
|
and is available by default when no realms are explicitly configured. The users
|
|
are managed via the <<security-user-apis,user management APIs>>.
|
|
See <<native-realm>>.
|
|
|
|
_ldap_::
|
|
A realm that uses an external LDAP server to authenticate the
|
|
users. This realm supports an authentication token in the form of username and
|
|
password, and requires explicit configuration in order to be used. See
|
|
<<ldap-realm>>.
|
|
|
|
_active_directory_::
|
|
A realm that uses an external Active Directory Server to authenticate the
|
|
users. With this realm, users are authenticated by usernames and passwords.
|
|
See <<active-directory-realm>>.
|
|
|
|
_pki_::
|
|
A realm that authenticates users using Public Key Infrastructure (PKI). This
|
|
realm works in conjunction with SSL/TLS and identifies the users through the
|
|
Distinguished Name (DN) of the client's X.509 certificates. See <<pki-realm>>.
|
|
|
|
_file_::
|
|
An internal realm where users are defined in files stored on each node in the
|
|
{es} cluster. This realm supports an authentication token in the form
|
|
of username and password and is always available. See <<file-realm>>.
|
|
|
|
_saml_::
|
|
A realm that facilitates authentication using the SAML 2.0 Web SSO protocol.
|
|
This realm is designed to support authentication through {kib} and is not
|
|
intended for use in the REST API. See <<saml-realm>>.
|
|
|
|
_kerberos_::
|
|
A realm that authenticates a user using Kerberos authentication. Users are
|
|
authenticated on the basis of Kerberos tickets. See <<kerberos-realm>>.
|
|
|
|
_oidc_::
|
|
A realm that facilitates authentication using OpenID Connect. It enables {es} to
|
|
serve as an OpenID Connect Relying Party (RP) and provide single sign-on (SSO)
|
|
support in {kib}. See <<oidc-guide>>.
|
|
|
|
The {stack} {security-features} also support custom realms. If you need to
|
|
integrate with another authentication system, you can build a custom realm
|
|
plugin. For more information, see
|
|
<<custom-realms>>.
|
|
|
|
==== Internal and external realms
|
|
|
|
Realm types can roughly be classified in two categories:
|
|
|
|
Internal:: Realms that are internal to Elasticsearch and don't require any
|
|
communication with external parties. They are fully managed by {stack}
|
|
{security-features}. There can only be a maximum of one configured realm per
|
|
internal realm type. The {security-features} provide two internal realm types:
|
|
`native` and `file`.
|
|
|
|
External:: Realms that require interaction with parties/components external to
|
|
{es}, typically, with enterprise grade identity management systems. Unlike
|
|
internal realms, there can be as many external realms as one would like - each
|
|
with its own unique name and configuration. The {stack} {security-features}
|
|
provide the following external realm types: `ldap`, `active_directory`, `saml`,
|
|
`kerberos`, and `pki`.
|