Configuring Kibana

edit

OpenID Connect authentication in Kibana requires a small number of additional settings in addition to the standard Kibana security configuration. The Kibana security documentation provides details on the available configuration options that you can apply.

In particular, since your Elasticsearch nodes have been configured to use TLS on the HTTP interface, you must configure Kibana to use a https URL to connect to Elasticsearch, and you may need to configure elasticsearch.ssl.certificateAuthorities to trust the certificates that Elasticsearch has been configured to use.

OpenID Connect authentication in Kibana is subject to the following timeout settings in kibana.yml:

You may want to adjust these timeouts based on your security requirements.

The three additional settings that are required for OpenID Connect support are shown below:

xpack.security.authc.providers:
  oidc.oidc1:
    order: 0
    realm: "oidc1"

The configuration values used in the example above are:

xpack.security.authc.providers
Add oidc provider to instruct Kibana to use OpenID Connect single sign-on as the authentication method. This instructs Kibana to attempt to initiate an SSO flow everytime a user attempts to access a URL in Kibana, if the user is not already authenticated. If you also want to allow users to login with a username and password, you must enable the basic authentication provider too. For example:
xpack.security.authc.providers:
  oidc.oidc1:
    order: 0
    realm: "oidc1"
  basic.basic1:
    order: 1

This will allow users that haven’t already authenticated with OpenID Connect to log in using the Kibana login form.

xpack.security.authc.providers.oidc.<provider-name>.realm
The name of the OpenID Connect realm in Elasticsearch that should handle authentication for this Kibana instance.