The following worked with Elastic Cloud, Elasticsearch & Kibana v7.6.0. It should be pretty close for other kinds of deployments. Before starting, make sure you have the right license level that allows SAML.
-
Navigate to the SAML apps section of the admin console
-
Click the Add button and choose to "Add custom SAML app"
-
Write down the Entity ID and download the Idp metadata file
-
Choose application name, description and add logo
-
In the "Service Provider Details" screen add the following:
- ACS URL:
https://<kibana url>:9243/api/security/v1/saml
- Entity ID:
https://<kibana url>:9243/
- Start URL:
https://<kibana url>:9243/
- Name ID: Basic Information | Primary Email
- Name ID Format: Email
- ACS URL:
-
Skip attribute mapping and click "Finished"
-
Enable SAML app to be in "On for everyone" status
-
Rename the metadata file to
metadata.xml
-
Place the file in folder named
saml
-
Compress the folder into zip file.
-
Navigate to the custom plugins section under your Elastic account
-
Add a new plugin:
- Plugin name:
<whatever you like, e.g gsuite-saml>
- Version:
*
- Description:
<whatever you like>
- Plugin name:
-
Upload the zip file created above
-
In Kibana navigate to: Managment -> Security -> Role mappings
-
Create a new role mapping:
- Roles: Whatever roles you need
- Add the following mapping rule:
- User filed:
realm.name
- Type:
text
- Value: <realm name from elasticsearch.yml. e.g
gsuite
>
- User filed:
- Under the Elasticsearch deployment configuration go Edit screen
- Enable the
gsuite-saml
plugin under "Elasticsearch plugins and settings" - Paste the content of
elasticsearch.yml
to "User setting overrides" in the Elasticsearch section - Paste the content of
kibana.yml
to "User setting overrides" in the Kibana section - Click Save and wait for the re-deloyment to finish successfully
If everything went smooth, you should be able to point your browser to Kibana and get authenticated with your Google account.
We were able to build off of this and create more granular rbac within kibana using saml integrated accounts. Sharing here for others benefit.
All steps fall within the Configure Kibana's role mapping section of this guide.
These prior steps above have more narrowly defined who will get the role mapping in your first role mapping. Before, that role would apply to any and all gsuite saml integrated users.
To create a different role mapped to gsuite saml integrated users:
Clear browser history and open a new browser session to test.
This approach works, but it maps elastic roles to specific gsuite users. It would be more ideal to map elastic roles to groups in gsuite, but we could not get that to work. If others know how to do that, we would appreciate the guidance. We tried using the <group_name> by itself and with the @<domain_name>.com appended to it. Neither worked