SAML Authentication for Kibana

When you authentication for Kibana, you can

Authenticating through Amazon Cognito
Authenticating through the Fine-grained access control internal user database
SAML authentication for Kibana lets you use your existing identity provider to offer single sign-on (SSO) for Kibana on domains running Elasticsearch 6.7 or later. To use this feature, you must enable fine-grained access control.

SAML Authentication for Kibana - Active Directory as the identity provider

The Kibana login flow can take one of two forms:

Service provider (SP) initiated: You navigate to Kibana (for example, https:///_plugin/kibana), which redirects you to the login screen. After you log in, the identity provider redirects you to Kibana.
Identity provider (IdP) initiated: You navigate to your identity provider, log in, and choose Kibana from an application directory.

Amazon ES provides two single sign-on URLs, SP-initiated and IdP-initiated, you can choice any of them

Enabling SAML Authentication
- You domain->Actions->Modify authentication -> Check Enable SAML authentication.
- Note the service provider entity ID and the two SSO URLs, you only need one of the SSO URLs ```bash Service provider entity ID: https://

IdP-initiated SSO URL: https:///_plugin/kibana/_opendistro/_security/saml/acs/idpinitiated

SP-initiated SSO URL: https:///_plugin/kibana/_opendistro/_security/saml/acs ```

Configure the Active Directory
- Go to the ADFS Management console and select Relying Party Trusts
Right-click on it and select Add Relying Party Trust

Select Data Source step

Select the last option: Enter data about the relying party manually
Enter a Display name
Select AD FS profile
Leave the default values for Configure Certificate
Configure URL, select Enable support for the SAML 2.0 WebSSO protocol.

Enter the value of SP-initiated SSO URL on Kibana console
Add Relying party trust identifier

Enter the value of Service provider entity ID on Kibana console
Do not enable MFA
Next， Choose Permit all users to access this relying party
Next, Leave the default values
On the Final screen

Select Open the Edit Claim Rules dialog and use the Close button to exit.

Restart Active Directory Federation Service
Create Active Directory
- Group ESAdmin
- User esadminuser@tsp.example.com belong to ESAdmin
- Group ESRead
- Login user esreader@tsp.example.com belong to ESRead
After you configure your identity provider, it generates an IdP metadata file.

Export SAML Metadata Document from https://adfs.tsp.example.com/FederationMetadata/2007-06/FederationMetadata.xml

Import from XML file button to import IdP metadata file
Copy and paste the entityID property from your metadata file into the IDP entity ID
Provide a SAML master username (only that user receives full permissions) and/or a SAML master backend role (any user who belongs to the group receives full permissions).
Leave the Subject key field empty to use the NameID element of the SAML assertion for the username, you can check the SAML preview to get correct attribute name
Specify http://schemas.microsoft.com/ws/2008/06/identity/claims/role from the assertion in the Role key field, you can check the SAML preview to get correct attribute name
Choose Submit. The domain enters a processing state for approximately one minute and change to Active state

Access to kibana via https://es-domain/_plugin/kibana, the Active Directory SAML login window will shown up

After Kibana loads, choose Security and Roles. Map roles to allow other users to access Kibana with different permission

kibana-role-mapping