Add Single Sign-On (SSO) to Open Distro for Elasticsearch Kibana using SAML and Okta
Open Distro for Elasticsearch Security implements the web browser single sign-on (SSO) profile of the SAML 2.0 protocol. This enables you to configure federated access with any SAML 2.0 compliant identity provider (IdP). In a prior post, I discussed setting up SAML-based SSO using Microsoft Active Directory Federation Services (ADFS). In this post, I’ll cover the Okta-specific configuration.
- Install and configure Open Distro for Elasticsearch
- Install and configure Kibana. Make a note of your Kibana server’s Fully Qualified Domain Name (FQDN) as kibana_base_url and kibana_port ( default is 5601).
- Enable SSL on Elasticsearch and Kibana – as this is a requirement for most identity providers.
- Create or capture the details of your Okta account.
- Create users and assign to groups in Okta. For this post, I’ve created three users – esuser1, esuser2, and esuser3 – and two groups – ESAdmins and ESUsers. Group memberships are shown here:
Open Distro Security role
In your Okta account, click on Application -> Add Application -> Create New App.
In the next screen, choose Web app as type, SAML 2.0 as the authentication method, and click Create. In the next screen, type in an application name and click Next.
In SAML settings, set Single sign on URL and the Audience URI (SP Entity ID). Enter the below
kibana url as the Single sign on URL.
Make sure to replace the
kibana_port with your actual Kibana configuration as noted in the prerequisites. In my setup this is
Add a string for the Audience URI. You can choose any name here. I used
kibana-saml. You will use this name in the Elasticsearch Security plugin SAML config as the
You will pass the user’s group memberships from Okta to Elasticsearch using Okta’s group attribute statements. Set the Name to “Roles”. The name you choose must match the
roles_key defined in Open Distro Security’s configuration. Click Next and Finish.
On the Application Settings screen, click Identity Provider metadata link to download the metadata XML file and copy it to the Elasticsearch config directory. Set the
idp.metadata_file property in Open Distro Security’s
config.yml file to the path of the XML file. The path has to be specified relative to the
config directory (you can also specify
metadata_url instead of
This metadata file contains the
To complete the configuration of Open Distro for Elasticsearch Security, refer to my prior post on adding single sign-on with ADFS. Follow the steps in that post to map Open Distro Security roles to Okta groups, update Open Distro Security configuration and Kibana configuration, and restart Kibana. My copy of the Security config file with Okta integration is as below:
... http_enabled: true transport_enabled: true order: 1 http_authenticator: type: saml challenge: true config: idp: metadata_file: okta-metadata.xml entity_id: http://www.okta.com/exksz5jfvfaUjGSuU356 sp: entity_id: kibana-saml kibana_url: https://new-kibana.ad.example.com:5601/ exchange_key: 'MIIDAzCCAeugAwIB...' authentication_backend: type: noop ...
Once you restart Kibana, you are ready to test the integration. You should observe the same behavior as covered in the ADFS post.
In this post, I covered SAML authentication for Kibana single sign-on with Okta. You can use a similar process to configure integration with any SAML 2.0 compliant Identity provider. Please refer to the Open Distro for Elasticsearch documentation for additional configuration options for Open Distro for Elasticsearch Security configuration with SAML.