Skip to content

Instantly share code, notes, and snippets.

@mrnonz

mrnonz/README.md

Forked from m1keil/README.md
Last active May 19, 2021 09:47
Show Gist options
  • Save mrnonz/8089bebbe9a702d7c829d99af6880cb9 to your computer and use it in GitHub Desktop.
Save mrnonz/8089bebbe9a702d7c829d99af6880cb9 to your computer and use it in GitHub Desktop.
Download ZIP
Configure Kibana to use SAML with GSuite (Google Apps, GApps, G Suite)
Raw
README.md

The following worked with Elastic Cloud, Elasticsearch & Kibana v7.6.0. It should be pretty close for other kinds of deployments. Before starting, make sure you have the right license level that allows SAML.

Create SAML App in GSuite:

  • Navigate to the SAML apps section of the admin console

  • Click the Add button and choose to "SETUP MY OWN CUSTOM APP"

  • Write down the Entity ID and download the Idp metadata file

  • Choose application name, description and add logo

  • In the "Service Provider Details" screen add the following:

    • ACS URL: https://<kibana url>/api/security/v1/saml
    • Entity ID: https://<kibana url>/
    • Start URL: https://<kibana url>/
    • Name ID: Basic Information | Primary Email
    • Name ID Format: Email

  • Skip attribute mapping and click "Finished"

  • Enable SAML app to be in "On for everyone" status

Create and upload the metadata bundle: --- This step can shared same plugin if you use the same GSuite

  • Rename the metadata file to metadata.xml

  • Place the file in folder named saml

  • Compress the folder structure into zip file.

  • Navigate to the custom plugins section under your Elastic account

  • Add a new plugin:

    • Plugin name: <whatever you like, e.g gsuite-saml>
    • Version: *
    • Description: <whatever you like>

  • Upload the zip file created above

Configure Kibana's role mapping

  • In Kibana navigate to: Managment -> Security -> Role mappings

  • Create a new role mapping:

    • Roles: Whatever roles you need
    • Add the following mapping rule:
      • User filed: realm.name
      • Type: text
      • Value: <realm name from elasticsearch.yml. e.g gsuite>

Configure Elasticsearch and Kibana

  • Under the Elasticsearch deployment configuration go Edit screen
  • Enable the gsuite-saml plugin under "Elasticsearch plugins and settings"
  • Paste the content of elasticsearch.yml to "User setting overrides" in the Elasticsearch section
  • Paste the content of kibana.yml to "User setting overrides" in the Kibana section
  • Click Save and wait for the re-deloyment to finish successfully

If everything went smooth, you should be able to point your browser to Kibana and get authenticated with your Google account.

Reference

Raw
elasticsearch.yml
# make sure to adjust values accordingally before pasting.
# the "gsuite" key is arbitrary. you can choose whatever name you like.
# you'll need to use it in kibana.yml as the value for "xpack.security.authc.saml.realm"
# and in the role mapping rules
xpack.security.authc.realms.saml.gsuite:
order: 2
attributes.principal: "nameid"
attributes.groups: "groups"
idp.metadata.path: "/app/config/saml/metadata.xml"
idp.entity_id: "https://accounts.google.com/o/saml2?idpid=XXXXXXXXX <Entity id from step 1>"
sp.entity_id: "https://<kibana url>/"
sp.acs: "https://<kibana url>/api/security/v1/saml"
sp.logout: "https://<kibana url>/logout"
Raw
kibana.yml
# this enables both saml and basic (built in) auth.
# to use basic auth while saml is on, use https://<kibana url>:9243/login
# you might need to clear cache/cookies or use incognito
xpack.security.authc.providers: [saml,basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.authc.saml.realm: gsuite
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment