It is time to say goodbye: This version of Elastic Cloud Enterprise has reached end-of-life (EOL) and is no longer supported.
The documentation for this version is no longer being maintained. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Create SAML provider profiles
editCreate SAML provider profiles
editThis functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.
You can connect Elastic Cloud Enterprise to a Security Assertion Markup Language (SAML) authentication provider. These sessions integrate an interactive web browser into the logon process, instead of a server. Due to this, SAML profiles should not be used for standard API clients. The security deployment acts as the service provider and the identity provider is the SAML authentication service.
There are several sections to the profile:
- Specify the general SAML settings.
- Add the assertion attributes
- Create role mappings, either to all users that match the profile or assign roles to specific attributes.
- Add any custom configuration advanced settings to the YAML file.
- Optional: Prepare the trusted SSL certificate bundle.
- Sign the outgoing SAML messages.
- Encrypt SAML messages.
Begin the provider profile by adding the general settings:
- Log into the Cloud UI.
- Go to Users and then Authentication providers.
- From the Add provider drop-down menu, select SAML.
-
Provide a unique profile name. This name becomes the realm ID, with any spaces replaced by hyphens.
The name can be changed, but the realm ID cannot. The realm ID becomes part of the certificate bundle.
-
Enter the Assertion Consumer Service URL endpoint within Elastic Cloud Enterprise that receives the SAML assertion.
Example:
https://HOSTNAME_OR_IP_ADDRESS:12443/api/security/v1/saml
-
Enter the URL that receives logout messages from the authentication provider.
Example:
https://HOSTNAME_OR_IP_ADDRESS:124443/api/v1/users/auth/_logout
-
Enter the URIs for the SAML Identity provider entity ID for the and the Service provider entity ID that represents Elastic Cloud Enterprise.
Example:
urn:example:idp
andhttp://SECURITY-DEPLOYMENT-IP:12443
-
Specify the path to the metadata file, must be HTTPS.
Example:
https://HOSTNAME_OR_IP_ADDRESS:7000/metadata
Add SAML attributes
editThe SAML assertion about a user usually includes attribute names and values that can be used for role mapping. The principal
attribute is required and the groups
attribute is recommended for a minimum configuration.
If configured, you can use the groups
, username
, and dn
attributes for role mapping. Check with your identity provider to see what attributes are available for your implementation that are also supported by Elasticsearch.
Create role mappings
editWhen a user match is found, the role mapping assigns them privileges.
To assign all matched users a single role, select one of the Default roles.
To assign roles according to the user attributes, use the Add role mapping rule fields.
Custom configuration
editYou can add any additional settings to the Advanced configuration YAML file. For example, if you need to ignore the SSL check in a testing environment, you might add ssl.verification_mode: none
.
You can also enable some other options:
- Use single logout (SLO) makes sure that when a user is logged out, they are logged out of all of their other sessions at the same time.
- Enable force authentication means that the identity provider must reauthenticate the user for each new session, even if there is an existing session that’s already been authenticated.
Prepare SAML SSL certificates
editThough optional, you can add a trusted SSL certificate for loading metadata over HTTPs.
- Expand the Advanced settings.
-
Provide the SSL certificate URL to the ZIP file with the private key and certificate.
The bundle should be a ZIP file containing a single
keystore.ks
file in the directory/saml/:id/truststore
, where:id
is the value of the Realm ID field created in the General settings. - Select an SSL certificate bundle type.
- If the ZIP file is encrypted, add the password to access the certificate bundle.
Configure SAML outgoing certificates
editSigning the outgoing messages provides assurance that the messages are coming from the expected service.
- Provide the Signing certificate URL to the ZIP file with the private key and certificate.
- If the ZIP file is encrypted, add the password to access the certificate bundle.
- Select which types of messages get signed.
Encrypt incoming SAML content
editIf your environment requires encrypted communications, Elastic Cloud Enterprise can publish an encryption certificate when generating metadata and tries to decrypt incoming SAML content.
- Provide the Encryption certificate URL to the ZIP file with the private key and certificate.
- If the ZIP file is encrypted, add the password to access the certificate bundle.