Authentication Methods
Search Guard supports multiple authentication methods to integrate with your existing security infrastructure. Choose the method that matches your environment and requirements.
Available Authentication Methods
Internal Users Database
Manage users directly within Search Guard using the internal user database.
- Internal Users Database - Built-in user management
Best for: Small deployments, development environments, or when no external authentication system exists.
Basic Authentication
Standard HTTP Basic Authentication with username and password.
- Basic Authentication - HTTP Basic Auth configuration
Best for: Simple deployments, testing, or when combined with internal users database.
Active Directory / LDAP
Integrate with Active Directory or LDAP servers for centralized user management.
- Quick Start - Basic AD/LDAP configuration
- Advanced Configuration - Complex AD/LDAP setups, nested groups, multiple servers
Best for: Enterprise environments with existing Active Directory or LDAP infrastructure.
JSON Web Tokens (JWT)
Use JSON Web Tokens for stateless authentication, ideal for microservices and API authentication.
- Quick Start - Basic JWT configuration
- Advanced Configuration - Custom claims, key rotation, multiple issuers
Best for: Microservices architectures, single sign-on (SSO), API authentication, mobile applications.
Kerberos / SPNEGO
Integrate with Kerberos for single sign-on in Windows environments.
- Kerberos / SPNEGO - Kerberos configuration and setup
Best for: Windows-based environments with existing Kerberos infrastructure, enterprises requiring SSO.
Proxy Authentication
Delegate authentication to a reverse proxy or web server.
- Quick Start - Basic proxy authentication
- Advanced Configuration - Custom headers, trusted proxies
Best for: Environments with existing authentication proxies, complex SSO setups.
Client Certificate Authentication
Use X.509 client certificates for strong authentication.
- Client Certificate Authentication - Certificate-based authentication
Best for: Machine-to-machine communication, high-security requirements, internal tools.
Anonymous Authentication
Allow unauthenticated access to specific resources.
- Anonymous Authentication - Configure anonymous access
Best for: Public dashboards, read-only public data, landing pages.
Search Guard Auth Tokens
Generate temporary authentication tokens for programmatic access.
- Search Guard Auth Tokens - Token-based authentication
Best for: Temporary access, service accounts, automation scripts.
Choosing an Authentication Method
| Method | Use Case | Complexity | Security |
|---|---|---|---|
| Internal Users | Small deployments, dev/test | Low | Medium |
| Basic Auth | Simple setups, testing | Low | Medium |
| Active Directory/LDAP | Enterprise environments | Medium | High |
| JWT | Microservices, APIs | Medium | High |
| Kerberos | Windows environments | High | High |
| Proxy | Existing auth infrastructure | Medium | High |
| Client Certificates | M2M communication | Medium | Very High |
| Anonymous | Public access | Low | Low |
| Auth Tokens | Programmatic access | Low | Medium |
Combining Multiple Methods
Search Guard supports using multiple authentication methods simultaneously. For example:
- Basic Auth for administrators
- JWT for API access
- LDAP for regular users
See the General Configuration section for details on combining authentication methods.
Configuration
All authentication methods are configured in the sg_authc.yml file. See Introduction to sg_authc for configuration fundamentals.
Next Steps
- Choose an authentication method from the list above
- Follow the Quick Start guide for your chosen method
- Review the Advanced Configuration if you have complex requirements
- Configure Authorization to define what authenticated users can access