-
Notifications
You must be signed in to change notification settings - Fork 24.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SAML authentication for applications multiple URLs (hostname aliases) #75557
Comments
Pinging @elastic/es-security (Team:Security) |
CC: @elastic/kibana-security |
If I'm not missing anything, we can also try to handle this purely in Kibana (assuming only supporting Kibana is enough). For example, we can introduce a new optional xpack.security.authc.providers:
basic.global-basic:
order: 0
saml.corp-saml:
order: 1
realm: main-saml
host: "corp.com"
saml.cname-corp-saml:
order: 2
realm: cname-saml-cname
host: "cname-corp.com"
We'll still need to think what to do when Kibana is configured with a specific |
I like this approach. It would double as a feature that some customers have asked for (to reduce confusion for their users who don't know what provider to pick). I opened an issue for it in elastic/kibana#109525 if you want to add anything to it. |
Note: I will write about "Kibana" because that is our primary SAML application, however everything written below applies to other applications as well.
Currently each SAML realm supports a single ACS with a single hostname. If Kibana is available on multiple URLs (most often multiple DNS entries pointing to the same hosts) then it is not currently possible to configure a single SAML realm that can service both of those URLs.
It is possible to configure multiple SAML realms, but then the issue is that we don't have a good process to select which realm to use to authenticate - We can list 2 realms on the Kibana login selector, but the explanatory text would need to try and explain "Use this option if your browser address bar says xyz.host" which is clearly not reasonable.
One option (though there are others would be)
That option would assume that the IdP allows multiple ACS URLs for the same entity id.
We could support different EntityIDs per alternate host, if we think that is needed, for example:
An alternative option would be to force Kibana to redirect to a canonical URL as part of the SAML flow. One way to do that would be for the SAML prepare authc API to return a "hostname" (taken from the ACS URL) and if Kibana is not using that hostname, then it redirects to that host before setting the SAML cookie and bouncing the user to the IdP.
The text was updated successfully, but these errors were encountered: