Configure SAML single sign-on for Kibana with AAD

Things may break just like our hearts.. Be careful with steps while implementing in production Environment..

Lets get started..

Prerequisites: -

1. AD configured in Azure cloud

2. Azure Enterprise application

3. AWS elastic search with Enabled SAML authentication

Enable SAML authentication for existing Elasticsearch in AWS cloud:

Navigate to AWS ES Console. Select the ES Cluster that we need to enable the SSO with SAML authentication. Now will be able to see a button named “Actions” as shown in the diagram below. Click on it and select Modify Authentication option.

Scroll a bit down the page and now we will be able to see the section that provides us to enable SAML authentication to Kibana. Check the box with “Enable SAML Authentication”. This will make visible another section that carries the required details that need to configure SSO for Kibana.

Note: Enable SAML authentication is possible once we enable Fine-grained access to the ES

Create master user and password as shown in below screenshot this credential will be created in Kibana internal database and this credentials will not be used for login once we enable SSO completely.

• Note down Service provider entity ID, IdP-initiated SSO URL, SP-initiated SSO URL

Now we will move to Azure where we will get XML Metadata file by providing above 3 URL as input

Create Enterprise application in Azure:

Login in to azure and Navigate to enterprise application

Click on Add new application

Select AWS application

Click on AWS single account access.

Provide Application name and click on create button.

Once we create application we would be able to see below application Name Application ID..

Here is the crucial part setting up SSO click on setup single-sign-on as shown in below screenshot.

Select SSO method as SAML

Edit Basic SAML configuration and replace values with below details and save

Identifier Entity ID — Service provider entity ID from AWS ES

Reply URL — SP-initiated SSO URL from AWS ES

Sign on URL — Kibana URL from AWS ES

Note: Above pictures has blank data kindly refer the above steps to fill the fields

Once save the configuration scroll down bit on SAML signing certificate we would be able to see the Federation metadata XML Download this file.

We have finished SSO configuration in Azure application at the final step lets add users in application

Click on Add user/group

Note: User email ID will be available if only user exist in the AAD,,

Select the users for whoever wants access to ES kibana

We are done the azure steps.. lets go back to AWS console where we left SAML configuration.

Import metadata from azure which we downloaded in above step.

This will autofill IDP entity ID as per the imported metadata

Finally click on submit. ES domain will take 30 sec downtime to update the configuration.

Now click on the kibana URL it will login to kibana dashboard with SAML authentication..

Congratulations!!! We have Done with the SAML single-sign-on with AAD.

Please follow MachiCloud blogs for More updates..

Thanks!

Machendra K

Solution Architect