Using Kibana with OpenID Connect
Activate OpenID Connect by adding the following to
OpenID providers usually publish their configuration in JSON format under the metadata url. Therefore most settings can be pulled in automatically, so the Kibana configuration becomes minimal.
The most important settings are:
Metadata Connect URL
The metadata URL, sometimes also called connect URL or discovery URL, is the URL under which your IdP published its metadata. This URL varies from IdP to IdP. For example, Keycloak uses:
While Auth0 uses:
Please consult the documentation of your IdP for details.
Every IdP can host multiple clients (sometimes also called applications) with different settings and authentication protocols. When enabling OpenID, you usually create a new client for Kibana in your IdP. The client id uniquely identifies this client.
Besides the ID, each client also has a client secret assigned. This is usually generated when the client is created. It adds an extra layer of security: An application can only obtain an identity token when it provides the client secret. You should find this secret in the settings of the client on your IdP.
|searchguard.openid.connect_url||The URL where the IdP publishes the OpenID metadata. Mandatory.|
|searchguard.openid.client_id||The ID of the OpenID client configured in your IdP. Mandatory.|
|searchguard.openid.client_secret||The client secret of the OpenID client configured in your IdP. Mandatory.|
|searchguard.openid.scope||The scope of the identity token issued by the IdP. Option. Default: ‘openid profile email address phone’.|
|searchguard.openid.header||HTTP header name of the JWT token. Optional. Default: ‘Authorization’|
|searchguard.openid.base_redirect_url||The URL where the IdP redirects to after successful authentication. Optional. If not set, the
|searchguard.openid.logout_url||The logout URL of your IdP. Optional. Only necessary if your IdP does not publish the logout URL in its metadata.|
# Enable OpenID authentication searchguard.auth.type: "openid" # the IdP metadata endpoint searchguard.openid.connect_url: "http://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration" # the ID of the OpenID Connect client in your IdP searchguard.openid.client_id: "kibana-sso" # the client secret of the OpenID Connect client searchguard.openid.client_secret: "a59c51f5-f052-4740-a3b0-e14ba355b520" # optional: the scope of the identity token # default: 'openid profile email address phone' searchguard.openid.scope: "profile email" # optional: the HTTP header name of the JWT. Default: 'Authorization' searchguard.openid.header: "Authorization" # optional: the logout URL of your IdP # Only necessary if your IdP does not publish the logout url # in the metadata searchguard.openid.header: "Authorization" # Use HTTPS instead of HTTP elasticsearch.hosts: "https://<hostname>.com:<http port>" # Configure the Kibana internal server user elasticsearch.username: "kibanaserver" elasticsearch.password: "kibanaserver" # Disable SSL verification when using self-signed demo certificates elasticsearch.ssl.verificationMode: none # Whitelist basic headers and multi tenancy header elasticsearch.requestHeadersWhitelist: ["Authorization", "sgtenant"]
Since Kibana requires that the internal Kibana server user can authenticate via HTTP Basic Authentication, you need to configure two authentication domains. For OpenID Connect, the HTTP Basic domain has to be placed first in the chain. Make sure you set the challenge flag to
basic_internal_auth_domain: enabled: true order: 0 http_authenticator: type: basic challenge: false authentication_backend: type: internal openid_auth_domain: enabled: true order: 1 http_authenticator: type: openid challenge: false config: subject_key: preferred_username roles_key: roles openid_connect_url: https://keycloak.example.com:8080/auth/realms/master/.well-known/openid-configuration authentication_backend: type: noop
For a more detailed description of the Elasticsearch configuration please see Elasticsearch OpenID configuration.