Create SAML provider profiles

edit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

You can connect Elastic Cloud Enterprise to a Security Assertion Markup Language (SAML) authentication provider. These sessions integrate an interactive web browser into the logon process, instead of a server. Due to this, SAML profiles should not be used for standard API clients. The security deployment acts as the service provider and the identity provider is the SAML authentication service.

There are several sections to the profile:

Begin the provider profile by adding the general settings:

  1. Log into the Cloud UI.
  2. Go to Users and then Authentication providers.
  3. From the Add provider drop-down menu, select SAML.
  4. Provide a unique profile name. This name becomes the realm ID, with any spaces replaced by hyphens.

    The name can be changed, but the realm ID cannot. The realm ID becomes part of the certificate bundle.

  5. Enter the Assertion Consumer Service URL endpoint within Elastic Cloud Enterprise that receives the SAML assertion.

    Example: https://HOSTNAME_OR_IP_ADDRESS:12443/api/security/v1/saml

  6. Enter the URL that receives logout messages from the authentication provider.

    Example: https://HOSTNAME_OR_IP_ADDRESS:124443/api/v1/users/auth/_logout

  7. Enter the URIs for the SAML Identity provider entity ID for the and the Service provider entity ID that represents Elastic Cloud Enterprise.

    Example: urn:example:idp and http://SECURITY-DEPLOYMENT-IP:12443

  8. Specify the path to the metadata file, must be HTTPS.

    Example: https://HOSTNAME_OR_IP_ADDRESS:7000/metadata

Add SAML attributes

edit

The SAML assertion about a user usually includes attribute names and values that can be used for role mapping. The principal attribute is required and the groups attribute is recommended for a minimum configuration.

If configured, you can use the groups, username, and dn attributes for role mapping. Check with your identity provider to see what attributes are available for your implementation that are also supported by Elasticsearch.

Create role mappings

edit

When a user match is found, the role mapping assigns them privileges.

To assign all matched users a single role, select one of the Default roles.

To assign roles according to the user attributes, use the Add role mapping rule fields.

Custom configuration

edit

You can add any additional settings to the Advanced configuration YAML file. For example, if you need to ignore the SSL check in a testing environment, you might add ssl.verification_mode: none.

You can also enable some other options:

  • Use single logout (SLO) makes sure that when a user is logged out, they are logged out of all of their other sessions at the same time.
  • Enable force authentication means that the identity provider must reauthenticate the user for each new session, even if there is an existing session that’s already been authenticated.

Prepare SAML SSL certificates

edit

Though optional, you can add a trusted SSL certificate for loading metadata over HTTPs.

  1. Expand the Advanced settings.
  2. Provide the SSL certificate URL to the ZIP file with the private key and certificate.

    The bundle should be a ZIP file containing a single keystore.ks file in the directory /saml/:id/truststore, where :id is the value of the Realm ID field created in the General settings.

  3. Select an SSL certificate bundle type.
  4. If the ZIP file is encrypted, add the password to access the certificate bundle.

Configure SAML outgoing certificates

edit

Signing the outgoing messages provides assurance that the messages are coming from the expected service.

  1. Provide the Signing certificate URL to the ZIP file with the private key and certificate.
  2. If the ZIP file is encrypted, add the password to access the certificate bundle.
  3. Select which types of messages get signed.

Encrypt incoming SAML content

edit

If your environment requires encrypted communications, Elastic Cloud Enterprise can publish an encryption certificate when generating metadata and tries to decrypt incoming SAML content.

  1. Provide the Encryption certificate URL to the ZIP file with the private key and certificate.
  2. If the ZIP file is encrypted, add the password to access the certificate bundle.