(SSO) for Elastic Cloud Kibana Using SAML (OKTA)— Step by Step
Implementing SSO is very useful when teams grow. Okta is well known as Identity provider and in specific for SSO. Elastic is also well known for their great products including Elasticsearch and Kibana! Elastic started its hosted service (Elastic Cloud) and they added nice features such as Hot/Warm deployments which made it popular. They both have good documentation but when it comes to this specific integration, things are not clear. I spent some time and communicated with support on both sides and in this post I will show how to integrate Kibana hosted by Elastic Cloud with Okta as IdP.
The step can be very difficult and can be very simple.
Below are few step actually you need.
First step is to configure Okta side to get the Assertion XML. Go to Okta Admin page and Add an application. Choose a SAML 2.0 App. Then you have to specify some basic information such as App name and Logo. Next is SAML Settings which is the important part. In specific the following parameters should be defined:
- Single sign on URL: for Elastic cloud the format is:
https://YOUR_CLUSTER_ADDRESS:9243/api/security/v1/saml
please note that/api/security/v1/samlis fixed (at least by the time this post is written) - Audience URI (SP Entity ID): This is exactly the URL of your Kibana in Elastic Cloud but please don’t forget
/at the end:https://YOUR_CLUSTER_ADDRESS:9243/ - Name ID Format: depends on your Okta usernames. In my case it’s
EmailAddress
4. GROUP ATTRIBUTE STATEMENTS:
5. Assignments Group: Modify OKTA Assign groups
6. It’s almost done now at OKTA side. You can review and check the guide which is given by Okta about how to introduce Assertion and Metadata to server provider (Kibana/Elasticsearch)
Next, you can start setup elastic cloud, there are few things you need to configure.
1. elasticsearch.yml:
2. kibana.yml
3. create role mapping through api console ,api or dev tools
Elasticsearch.yml
### better to setup attributes.principal: "nameid"
xpack:
security:
authc:
realms:
saml:
cloud-saml:
order: 2
attributes.principal: "nameid"
attributes.groups: "groups"
idp.metadata.path: "<check with your identity provider>"
idp.entity_id: "<check with your identity provider>"
sp.entity_id: "KIBANA_ENDPOINT_URL/"
sp.acs: "KIBANA_ENDPOINT_URL/api/security/v1/saml"
sp.logout: "KIBANA_ENDPOINT_URL/logout"Kibana.yml
### better with enable saml and basic at the same xpack.security.authc.providers: [saml,basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.authc.saml.realm: cloud-samlCreate role mapping
######## Role Mapping 1 - Operators #######
PUT /_security/role_mapping/saml-kibana-operators
{
"roles": [
"kibana_dashboard_user",
"kibana_user",
"Kibana_Viewer",
"reporting_user",
"machine_learning_user"
]
,
"enabled": true,
"rules": { "all" : [
{ "field": { "realm.name": "cloud-saml" } },
{ "field": { "groups": "OK_Kibana_Operators" } }
]},
"metadata": { "version": 1 }
}######## Role Mapping 2 - Admins #######
PUT /_security/role_mapping/saml-kibana-admins
{
"enabled": true,
"roles": [ "superuser" ],
"rules": { "all" : [
{ "field": { "realm.name": "cloud-saml" } },
{ "field": { "groups": "OK_Kibana_Admins" } }
]},
"metadata": { "version": 1 }
}
For saml login
https://KIBANA_ENDPOINT_URL/
For basic login
https://KIBANA_ENDPOINT_URL/login
Follow us on Twitter 🐦 and Facebook 👥 and Instagram 📷 and join our Facebook and Linkedin Groups 💬.
To join our community Slack team chat 🗣️ read our weekly Faun topics 🗞️, and connect with the community 📣 click here⬇
