Skip to content

Instantly share code, notes, and snippets.

@m1keil

m1keil/README.md

Last active February 16, 2024 17:00
Show Gist options
  • Star 21 You must be signed in to star a gist
  • Fork 7 You must be signed in to fork a gist
  • Save m1keil/71d2212c2657b32d086a3309d7e1dd59 to your computer and use it in GitHub Desktop.
Save m1keil/71d2212c2657b32d086a3309d7e1dd59 to your computer and use it in GitHub Desktop.
Download ZIP
Configure Kibana to use SAML with Google Workspace (Google Apps, G Suite)
Raw
README.md

The following worked with Elastic Cloud, Elasticsearch & Kibana v7.6.0. It should be pretty close for other kinds of deployments. Before starting, make sure you have the right license level that allows SAML.

Create SAML App in Google Workspace:

  • Navigate to the SAML apps section of the admin console

  • Click the Add button and choose to "Add custom SAML app"

  • Write down the Entity ID and download the Idp metadata file

  • Choose application name, description and add logo

  • In the "Service Provider Details" screen add the following:

    • ACS URL: https://<kibana url>:9243/api/security/v1/saml
    • Entity ID: https://<kibana url>:9243/
    • Start URL: https://<kibana url>:9243/
    • Name ID: Basic Information | Primary Email
    • Name ID Format: Email

  • Skip attribute mapping and click "Finished"

  • Enable SAML app to be in "On for everyone" status

Create and upload the metadata bundle:

  • Rename the metadata file to metadata.xml

  • Place the file in folder named saml

  • Compress the folder into zip file.

  • Navigate to the custom plugins section under your Elastic account

  • Add a new plugin:

    • Plugin name: <whatever you like, e.g gsuite-saml>
    • Version: *
    • Description: <whatever you like>

  • Upload the zip file created above

Configure Kibana's role mapping

  • In Kibana navigate to: Managment -> Security -> Role mappings

  • Create a new role mapping:

    • Roles: Whatever roles you need
    • Add the following mapping rule:
      • User filed: realm.name
      • Type: text
      • Value: <realm name from elasticsearch.yml. e.g gsuite>

Configure Elasticsearch and Kibana

  • Under the Elasticsearch deployment configuration go Edit screen
  • Enable the gsuite-saml plugin under "Elasticsearch plugins and settings"
  • Paste the content of elasticsearch.yml to "User setting overrides" in the Elasticsearch section
  • Paste the content of kibana.yml to "User setting overrides" in the Kibana section
  • Click Save and wait for the re-deloyment to finish successfully

If everything went smooth, you should be able to point your browser to Kibana and get authenticated with your Google account.

Reference

Raw
elasticsearch.yml
# make sure to adjust values accordingally before pasting.
# the "gsuite" key is arbitrary. you can choose whatever name you like.
# you'll need to use it in kibana.yml as the value for "xpack.security.authc.saml.realm"
# and in the role mapping rules
xpack.security.authc.realms.saml.gsuite:
order: 2
attributes.principal: "nameid"
attributes.groups: "groups"
idp.metadata.path: "/app/config/saml/metadata.xml"
idp.entity_id: "https://accounts.google.com/o/saml2?idpid=XXXXXXXXX <Entity id from Google Workspace>"
sp.entity_id: "https://<kibana url>:9243/"
sp.acs: "https://<kibana url>:9243/api/security/v1/saml"
sp.logout: "https://<kibana url>:9243/logout"
Raw
kibana.yml
# this enables both saml and basic (built in) auth.
# to use basic auth while saml is on, use https://<kibana url>:9243/login
# you might need to clear cache/cookies or use incognito
xpack.security.authc.providers: [saml,basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.authc.saml.realm: gsuite
@sirachv
Copy link

sirachv commented Jun 20, 2023

@sm3142 This should be the new accepted answer. Managed to set up google group membership as detailed above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment