Configure SAML single sign-on for Kibana with AAD
Things may break just like our hearts.. Be careful with steps while implementing in production Environment..
Lets get started..
1. AD configured in Azure cloud
2. Azure Enterprise application
3. AWS elastic search with Enabled SAML authentication
Enable SAML authentication for existing Elasticsearch in AWS cloud:
Navigate to AWS ES Console. Select the ES Cluster that we need to enable the SSO with SAML authentication. Now will be able to see a button named “Actions” as shown in the diagram below. Click on it and select Modify Authentication option.
Scroll a bit down the page and now we will be able to see the section that provides us to enable SAML authentication to Kibana. Check the box with “Enable SAML Authentication”. This will make visible another section that carries the required details that need to configure SSO for Kibana.
Note: Enable SAML authentication is possible once we enable Fine-grained access to the ES
Create master user and password as shown in below screenshot this credential will be created in Kibana internal database and this credentials will not be used for login once we enable SSO completely.
- Note down Service provider entity ID, IdP-initiated SSO URL, SP-initiated SSO URL
Now we will move to Azure where we will get XML Metadata file by providing above 3 URL as input
Create Enterprise application in Azure:
Login in to azure and Navigate to enterprise application
Click on Add new application
Select AWS application
Click on AWS single account access.
Provide Application name and click on create button.
Once we create application we would be able to see below application Name Application ID..
Here is the crucial part setting up SSO click on setup single-sign-on as shown in below screenshot.
Select SSO method as SAML
Edit Basic SAML configuration and replace values with below details and save
Identifier Entity ID — Service provider entity ID from AWS ES
Reply URL — SP-initiated SSO URL from AWS ES
Sign on URL — Kibana URL from AWS ES
Note: Above pictures has blank data kindly refer the above steps to fill the fields
Once save the configuration scroll down bit on SAML signing certificate we would be able to see the Federation metadata XML Download this file.
We have finished SSO configuration in Azure application at the final step lets add users in application
Click on Add user/group
Note: User email ID will be available if only user exist in the AAD,,
Select the users for whoever wants access to ES kibana
We are done the azure steps.. lets go back to AWS console where we left SAML configuration.
Import metadata from azure which we downloaded in above step.
This will autofill IDP entity ID as per the imported metadata
Finally click on submit. ES domain will take 30 sec downtime to update the configuration.
Now click on the kibana URL it will login to kibana dashboard with SAML authentication..
Congratulations!!! We have Done with the SAML single-sign-on with AAD.
Please follow MachiCloud blogs for More updates..