Configuring Kibana
editConfiguring Kibana
editOpenID Connect authentication in Kibana requires a small number of additional settings in addition to the standard Kibana security configuration. The Kibana security documentation provides details on the available configuration options that you can apply.
In particular, since your Elasticsearch nodes have been configured to use TLS on the HTTP
interface, you must configure Kibana to use a https
URL to connect to Elasticsearch, and
you may need to configure elasticsearch.ssl.certificateAuthorities
to trust
the certificates that Elasticsearch has been configured to use.
OpenID Connect authentication in Kibana is subject to the following timeout settings in
kibana.yml
:
You may want to adjust these timeouts based on your security requirements.
The three additional settings that are required for OpenID Connect support are shown below:
xpack.security.authc.providers: oidc.oidc1: order: 0 realm: "oidc1"
The configuration values used in the example above are:
-
xpack.security.authc.providers
-
Add
oidc
provider to instruct Kibana to use OpenID Connect single sign-on as the authentication method. This instructs Kibana to attempt to initiate an SSO flow everytime a user attempts to access a URL in Kibana, if the user is not already authenticated. If you also want to allow users to login with a username and password, you must enable thebasic
authentication provider too. For example:
xpack.security.authc.providers: oidc.oidc1: order: 0 realm: "oidc1" basic.basic1: order: 1
This will allow users that haven’t already authenticated with OpenID Connect to log in using the Kibana login form.
-
xpack.security.authc.providers.oidc.<provider-name>.realm
- The name of the OpenID Connect realm in Elasticsearch that should handle authentication for this Kibana instance.