-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit authentication providers based on hostname #109525
Comments
Pinging @elastic/kibana-security (Team:Security) |
Hey all, is there any estimated window of when we can support this in Kibana? We've recently rolled out LetsEncrypt based certificates for our cloud infrastructure, which puts this as the only blocker to getting our Elastic Cloud integrated SSO working. |
Thanks for the ping, we'll move this into our list of items to discuss during our next grooming meeting |
We'll want to discuss with the @elastic/kibana-core team to understand how this interacts with the |
Good point! It looks like this config setting was added to support Alerting: #85075 Based on that issue's linked PR (#85344), the warning toast is only displayed if 1. the client is accessing Kibana with a non-localhost URL, and 2. It appears there are at least two consumers of Accessing Kibana on different hosts is already technically possible today, but emailed alerts and shared URLs will only reflect the configured |
++ Agreed. Receiving an email notification with a link back to Kibana should allow you to login the way you expect to, whatever that happens to mean. If the notification is only capable of using We can't control how other features adopt |
Following up while MikeN is out - is there anything you need from Cloud to decide on a path forward here? I'm working on roadmap timing for SSO support but recognize we're dependent on this issue first being implemented. |
I don't believe we need anything from Cloud, this sounds like an enhancement we want to implement.
We aren't planning on this in the next couple of weeks, but it is near the top of our backlog. Stay tuned! |
Something else that comes to mind is the External URL service. I believe it assumes that there is only one canonical public URL, and that is the location that the browser currently has open. This should account for the fact that there may be multiple public URLs. Otherwise, it will incorrectly think that some links back into Kibana are external when they're in fact internal: kibana/src/core/public/http/external_url_service.ts Lines 58 to 68 in 14c0d35
Naively, I think one way to solve this could be to allow multiple entries for |
Hi Team - any updates here? Is there a decision on how the requisite URL configuration will be supported? |
This work hasn't been prioritized yet and we haven't made any decisions on what exactly the implementation will be, but it's likely to align pretty closely with the issue description. |
Hello team, new Ingress team PM here. I was wondering if there are any updates on this w.r.t. getting it prioritized. |
Hey @alxchalkias, welcome! Unfortunately this hasn't been prioritized yet. |
Seems like this feature is not yet implemented. I'm also looking for a way to show different IdPs based on hostname as we are currently having multitenancy setup where we have different groups of people will access the Kibana. Since it's still not yet implemented, I might need to find a workaround, perhaps I can launch multiple instances of Kibana but with different kibana.yml configuration, particularly on the |
This can work as an interim solution, but it will be quite brittle since it's not what Kibana officially supports. If you go this route, you should make sure that all Kibana instances that are connected to the same cluster have exactly the same list of authentication providers, with exact same names (realm name, Moreover, you'll need to synchronize all data encryption keys and correctly configure |
@arisonl @legrego any chance you can review the priority of this? I want to start planning the CP work on https://elasticco.atlassian.net/browse/CP-1190 and ideally have it done by the end of CY23. |
I've opened #161379 to discuss the limitations around |
Original comment: elastic/elasticsearch#75557 (comment)
Describe the feature:
We can introduce a new optional
hosts
configuration property for authentication providers to limit what host(s) they can be used on. Example:If you access Kibana via "corp.com", you will see the
global-basic
andcorp-saml
auth providers in the login selector.If you access Kibana via "cname-corp.com", you will see the
global-basic
andcname-corp-saml
auth providers in the login selector.This can also be applied to non-login-selector scenarios, such as IdP-initiated login where we loop through auth providers.
Describe a specific use case for the feature:
The text was updated successfully, but these errors were encountered: