Skip to content

Instantly share code, notes, and snippets.

@aravindputrevu

aravindputrevu/auth0-sso-elasticsearch.md

Created May 10, 2022 17:29
Show Gist options
  • Save aravindputrevu/2943cf3a676f131406a1847fa2c4990d to your computer and use it in GitHub Desktop.
Save aravindputrevu/2943cf3a676f131406a1847fa2c4990d to your computer and use it in GitHub Desktop.
Download ZIP
How to configure Auth0 SSO with Elasticsearch
Raw
auth0-sso-elasticsearch.md

How to configure Auth0 SSO with Elasticsearch

Elastic cloud supports three types of SSO protocols.

  1. SAML
  2. OpenID
  3. Kerberos

I'm using Auth0 as an identity provider here to configure SAML login with a Elastic Cloud Deployment.

Steps are as follows:-

  1. Make sure you create a application (Regular Web Application) with SAML add-on enabled in Auth0 console.
  2. Configure the callback URL and below json snippet for logout specific information, by going into SAML setting for the created app in Step#!

Callback URL should be in this format - <KIBANA_URL>/api/security/saml/callback


{
 "logout": {
   "callback": "<KIBANA_URL>/logout",
   "slo_enabled": true
 },
  "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
}

  1. In the same application go to Settings -> Advanced Settings -> SAML Metadata : Copy the URL for later as well as hit the URL in the browser to download the SAML XML.

  2. Head over to Elasticsearch configuration (elasticsearch.yml) or Elasticsearch User settings ((Elastic Cloud)) and add the following snippet.

xpack.security.authc.realms.saml.elastic-byte:
   order: 2
   attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" #this can be anything that you want to login with 
   idp.metadata.path: "<SAML_APP_URL_FROM_AUTH0>" #SAML metadata XML URL you copied in Step 3
   idp.entity_id: "<ENTITY_ID_FROM_APP_XML>" #Open the XML downloaded to find out EntityID 
   sp.entity_id: "<KIBANA_URL>" 
   sp.acs: "<KIBANA_URL>/api/security/saml/callback"
   sp.logout: "<KIBANA_URL>/logout"
  1. Head over to Kibana configuration (kibana.yml) or Kibana User settings (Elastic Cloud) and add the following snippet.
xpack.security.authc.providers:
 saml.elastic-byte:
   order: 0
   realm: elastic-byte #name as given in step 4
   description: "Log in with Auth0"
   icon: logoElasticsearch #you can substitute it with your Organization SVG format logo
   hint: "Typical for Teams"
  1. Map external identity provider realm to the role you want to have.
POST _security/role_mapping/elastic-byte
{
  "enabled": true,
   "roles": [ "kibana_admin" ],
   "rules": {
       "field": { "realm.name": "elastic-byte" } #notice the realm name. 
   },
   "metadata": { "version": 1 }
}

You can do more things with SSO and many users. Like specific role mappings, access levels etc.

Do refer to the Elastic Cloud documentation for more :- https://www.elastic.co/guide/en/cloud/current/ec-securing-clusters-SAML.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment