Release Date: 10.11.2020

New Features

Enabling Auth Domains only for certain IPs

The Search Guard auth domain configuration now supports the attribute enabled_only_for_ips. You can use this option to specify a list of IPv4 or IPv6 addresses or netmasks. If such a list is specified, these auth domains only allow authentication from the specified networks.

This can be for example useful if the only client using basic authentication is Kibana. You can then restrict the basic authentication module to the IPs of Kibana.

Example:

        basic_internal_auth_domain: 
          description: "Authenticate via HTTP Basic against internal users database"
          http_enabled: true
          enabled_only_for_ips:
          - '10.10.2.0/24' 
          order: 4
          http_authenticator:
            type: basic
            challenge: true
          authentication_backend:
            type: intern

Improvements

Allowing Custom Headers

So far, Search Guard would filter all unknown thread context headers. This release adds the option searchguard.allow_custom_headers which can be used to specify a list of regular expressions for white-listing custom headers. This option has to be added to elasticsearch.yml.

Using more than one SAML auth domain

It is now possible to use several SAML authentication domains at once with Search Guard if you are using IdP-initiated SSO (i.e., you are using the login form your your IdP and not the login form of Kibana).

The definition of such a configuration is straight-forward: Just specifiy several auth domains using the SAML authenticator. Search Guard will then use the saml:Issuer attribute from the SAML responses to choose the correct auth module for validating the SAML response.

Bug Fixes

Authentication / Authorisation

  • Using auth domains for HTTP basic auth and for JWT auth at the same time would lead to bogus warning messages in the ES log. Fixed.