Elastic Cloud Kibana Authentication with Auth0 ADFS Connection- Step by Step
SSO or Single Sign-On Implementation has become one of the most desirable features in current times due to the transparent authentication it provides to the end-users while also ensuring the security. Federation becomes a key feature especially when the team size grows.
This article provides an outline for the SSO implementation by creating an interface between existing ADFS configured with Auth0 implementation established in a company with Elastic Cloud.
- First login to your Auth0 account with the administrator credentials. Open your existing Auth0 application using the ADFS connection.
- Click on Connections Tab and verify if ADFS connection is enabled in the Enterprise Section (refer to the screenshot)
Before we start with the configuration, the following components in Auth0 will be handy and are worth noting, these fields are available under Settings:
Domain: Your Auth0 tenant name. You choose this when you create a new Auth0 tenant, and it cannot be changed. If you need a different domain, you must register for a new tenant by selecting + Create Tenant in the top-right menu.
Client ID: The unique identifier for your application. You will use this when configuring authentication with Auth0. Generated by the system when you create a new application and cannot be modified.
Client Secret: A string used to sign and validate ID Tokens for authentication flows and to gain access to select Auth0 API endpoints. By default, the value is hidden, so check the Reveal Client Secret box to see it. While the Client ID is considered public information, the Client Secret must be kept confidential. If anyone can access your Client Secret, they can issue tokens and access resources they shouldn’t be able to access.
Now traverse to the Settings tab, we’ll set a callback URL, Allowed logout URL, Allowed web origins, and Secrets for your Application.
The Url which we are adding here is your Kibana Endpoint which you can copy from your Elastic Cloud deployment home
Below is an example of sample for the changes which will go in the Settings tab
Save all the changes, this completes our setup on the Auth0 side.
Next, we start with the Elastic Cloud setup, there are few configuration files that need to configure.
1. elasticsearch.yml:
2. kibana.yml
Login to the Elastic Cloud, under Elasticsearch Service, click on the desired Deployment Name.
Click on the Edit Configuration
Elasticsearch runs with your own user settings. User settings are appended to the elasticsearch.yml configuration file for your Elasticsearch cluster
Data >> User Settings Override >> Elasticsearch.yml
Add following code snippet replacing the masked value with your custom configuration
xpack.security.authc.realms:
oidc:
oidc1:
order: 2
rp.client_id: ["Auth0 Application Client code"]
rp.response_type: "code"
rp.redirect_uri: "<KIBANA_ENDPOINT_URL>/api/security/v1/oidc"
op.issuer: "https://xxx.auth0.com/"
op.authorization_endpoint: "https://xxx.auth0.com/authorize"
op.token_endpoint: "https://xxx.auth0.com/oauth/token"
op.userinfo_endpoint: "https://xxx.auth0.com/userinfo"
op.jwkset_path: "https://xxx.auth0.com/.well-known/jwks.json"
claims.principal: subSimilarly, Kibana runs with your own user settings. User settings are appended to the kibana.yml configuration file for your Kibana cluster
Kibana >> User Settings Override>> Kibana.yml
xpack.security.authc.providers:
oidc.oidc1:
order: 0
realm: oidc1
description: "Log in with {company name}"The description can be customized as per your requirement.
Till this step, we have only added auth0 client Id, and adding Client Id does not complete authentication, it requires security key that will help in generating authorization tokens ONLY to authorized requestors, this is configured anywhere yet. Let's do it now.
Under Security Configuration, locate the option Elasticsearch Keystore
Click on Add Settings, it will open slide panel, this allows you to add setting name and setting secret. Here Setting name would be
xpack.security.authc.realms.oidc.oidc1.rp.client_secret
and secret will be your Auth0 Client secret
Once the changes are applied, you will notice a customized login window with supported SSO when accessing Kibana URL.
When you are logged in, you would notice that you are not redirected to the Kibana home page, this is because of the fact that even though Elastic Cloud knows that you are an authenticated user, however, it still does not know your authorization level. As a result, the page load will be stuck showing a blank page until you go back to Admin console and add Role Mapping
Let’s create Role Mapping now:
Click on “Create role mapping”, give a meaningful name and select predefined roles or custom roles you have created
Continue the process by adding mapping rules, on this screen, click on the drop-down for user field and select realm.name. Value for this realm.name will be same what we have defined when adding configuration in elasticsearch.yml file
Now that we have added Role Mapping, go back and access Kibana URL. This time upon authentication, it will allow you to kibana dashboard and other pages.
Note: We can fine-tune Roles according to the team's requirement, e.g. some want to view only the APM dashboard while some are interested in the Kibana dashboard, etc.
I hope this documentation was helpful!
Let me know if you think the article can be improved anyway, will be glad to update
References
