This is an older version of Search Guard. Switch to Latest version
Kibana Authentication Types
Content
The Search Guard Kibana plugin offers several ways of authenticating users. Regardless of which method you choose, please make sure it matches the configured authentication type configured in Search Guard.
There are two general authentication approaches:
HTTP Basic authentication
This is the default. If the user tries to access Kibana and has no active session, a login page is displayed. The credentials the user enters on this page are validated against Search Guard by adding them as HTTP Basic Authentication headers. Once authenticated the credentials are stored in an encrypted cookie on the user’s browser. Make sure you use TLS on the REST layer of Elasticsearch so the transmitted credentials cannot be sniffed.
Elasticsearch and Kibana configuration:
Elasticsearch Configuration | Kibana Configuration |
---|---|
Internal user database | Basic Authentication |
LDAP and Active Directory | Basic Authentication |
Single sign on authentication
In this mode, the user is authenticated by a third party system, like an identity provider that issues JSON web tokens, a Kerberos realm or an authenticating proxy. The Kibana plugin will forward any HTTP headers containing user crendentials to Search Guard. As with Basic Authentication, Search Guard uses these credentials for assigning roles and permissions.
Hint: You cannot have the Basic Authentication login page and SSO authentication together.
Whitelisting HTTP headers
By default, Kibana does not pass any HTTP header other than Authorization
to Elasticsearch. If you try to transmit any other header, it is silently discarded.
In order for SSO to work, make sure that any HTTP header that is required for your configured authentication type is added to the elasticsearch.requestHeadersWhitelist
configuration entry in kibana.yml
.
Example:
elasticsearch.requestHeadersWhitelist: [ "Authorization", "x-forwarded-for", "x-forwarded-by", "x-proxy-user", "x-proxy-roles" ]
Elasticsearch and Kibana configuration:
Elasticsearch Configuration | Kibana Configuration |
---|---|
JSON web token | JWT Authentication |
Proxy authentication | Proxy Authentication |
Kerberos authentication | Kerberos Authentication |
Kibana server user authentication
Regardless which authentication method you choose for your users, the internal Kibana server user will always pass its credentials as base64-encoded HTTP Basic Authentication header. You need to configure at least one Search Guard authentication domain on Elasticsearch side that supports HTTP Basic authentication.
This does not mean that you need to enable Basic Authentication for regular users. The Kibana server user operates under the hood and is independant from user authentication.
About certificate based authentication
We do not yet provide support for certificate-based (two-way SSL) authentication against Kibana due to technical limitations of the Kibana architecture.