Created
May 10, 2022 17:29
-
-
Save aravindputrevu/2943cf3a676f131406a1847fa2c4990d to your computer and use it in GitHub Desktop.
Revisions
-
aravindputrevu created this gist
May 10, 2022 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,80 @@ ### How to configure Auth0 SSO with Elasticsearch Elastic cloud supports three types of SSO protocols. 1. SAML 2. OpenID 3. Kerberos I'm using Auth0 as an identity provider here to configure SAML login with a Elastic Cloud Deployment. Steps are as follows:- 1. Make sure you create a application (Regular Web Application) with SAML add-on enabled in Auth0 console. 2. Configure the callback URL and below json snippet for logout specific information, by going into SAML setting for the created app in Step#! Callback URL should be in this format - <KIBANA_URL>/api/security/saml/callback ``` { "logout": { "callback": "<KIBANA_URL>/logout", "slo_enabled": true }, "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" } ``` 3. In the same application go to Settings -> Advanced Settings -> SAML Metadata : Copy the URL for later as well as hit the URL in the browser to download the SAML XML. 4. Head over to Elasticsearch configuration (elasticsearch.yml) or Elasticsearch User settings ((Elastic Cloud)) and add the following snippet. ``` xpack.security.authc.realms.saml.elastic-byte: order: 2 attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" #this can be anything that you want to login with idp.metadata.path: "<SAML_APP_URL_FROM_AUTH0>" #SAML metadata XML URL you copied in Step 3 idp.entity_id: "<ENTITY_ID_FROM_APP_XML>" #Open the XML downloaded to find out EntityID sp.entity_id: "<KIBANA_URL>" sp.acs: "<KIBANA_URL>/api/security/saml/callback" sp.logout: "<KIBANA_URL>/logout" ``` 5. Head over to Kibana configuration (kibana.yml) or Kibana User settings (Elastic Cloud) and add the following snippet. ``` xpack.security.authc.providers: saml.elastic-byte: order: 0 realm: elastic-byte #name as given in step 4 description: "Log in with Auth0" icon: logoElasticsearch #you can substitute it with your Organization SVG format logo hint: "Typical for Teams" ``` 6. Map external identity provider realm to the role you want to have. ``` POST _security/role_mapping/elastic-byte { "enabled": true, "roles": [ "kibana_admin" ], "rules": { "field": { "realm.name": "elastic-byte" } #notice the realm name. }, "metadata": { "version": 1 } } ``` You can do more things with SSO and many users. Like specific role mappings, access levels etc. Do refer to the Elastic Cloud documentation for more :- https://www.elastic.co/guide/en/cloud/current/ec-securing-clusters-SAML.html