Configuring SSO in Elastic Stack 8.x using Google Workspace SAML Idp

Kibana has the ability to provide single sign-on (SSO) via SAML based Idp like Google Workspace (formally G Suite).

For this post we used Elastic Cloud deployment and version 8.10.4, but this should work for all 8.x deployments. The process should be very similar for any on prem deployments as well. Note that the SSO feature requires Platinum or Enterprise subscription of Elastic Stack.

Creating SAML Application

We will need to first create an application in Google Workspace so we can use that to authenticate. Follow the steps below.

1. Login to your Google Workspace admin account and go to “Apps > Web and mobile apps” section
2. Click the “Add app” button and choose to “Add custom SAML app”
   
3. Provide the “App name” and optionally description and logo. I will name it as “Kibana SAML” but feel free to change it.
4. Click the “Continue” button and download the metadata file. Keep this file with you as we will need to upload it to Elastic Cloud or place it in elasticsearch node.
   
5. Click “Continue” button again and on the next “Service Provider Details” screen add the following details
   • ACS URL: KIBANA_ENDPOINT_URL/api/security/saml/callback
   • Entity ID: “kibana-saml”
   • Logout URL: KIBANA_ENDPOINT_URL
   • Check mark the “signed response” checkbox
   • Name ID Format: Email
   • Name ID: Basic Information > Primary Email
6. Click “Continue” button and on the next screen click “Add Mapping” under the attributes section.
7. Map the “Primary Email” > “username”.
   
8. Click “Finish” so the app gets created.
9. On the next screen make this app for the “On for everyone” and click “Save”. You can enable this app for specific user groups etc. but for simplicity let’s keep it enabled for all users.
   

Creating and upload the meta bundle

1. 1. The metadata file we downloaded has to be uploaded on all elasticsearch nodes. In the case of Elastic Cloud we can create and upload it as a bundle.
   2. Create a new folder named “saml”, remember its lower case.
   3. Place the GoogleIDPMetadata.xml file in the “saml” folder.
   4. Compress the folder into a zip file. So the zip has a “saml > GoogleIDPMetadata.xml” structure.
   5. In Elastic Cloud screen navigate to the custom plugins section “Cloud > Features > Extensions”
   6. Click on “Upload extension” button. On the next screen put the following values
      • Plugin name: google-workspace-meta
      • Version: *
      • Description: some description if your like
   7. Under the “Type” choose “A bundle containing a dictionary or script”
   8. Upload the zip file created in the previous steps under the secretion “bundle file”
   9. Click “Create extension” button
      

Adding Role Mapping in Kibana

Now we need to add some role mappings so once a user logs into kibana they get a specific role in Kibana. This mapping can be based on many criterias like usernames, groups etc. but we will keep it simple

1. 1. Login to Kibana with a users having “superuser” permissions and navigate to: Stack Management > Security > Role mappings
      
   2. Create a new role mapping using following values.
   3. Roles: Choose the Kibana user roles which you want to assign to user logged in via SSO. For simplicity will choose “superuser”
      
   4. Add the following mapping rule:
      • User field: realm.name
      • Type: text
      • Value: google-workspace
      • User field: username
      • Type: text
      • Value: [email protected]

1. In above make sure to use the correct value for “realm.name” and “username”.
2. Click on “Save role mapping”

Configure Elasticsearch and Kibana for SSO

Now the Elasticsearch and Kibana needs to be configured so It can use the SSO

1. 1. In Elastic Cloud navigate to your deployment “Edit” > “Elasticsearch user settings and extensions” section and put following values.
      

1. Make sure to adjust the values according to your values
2. Click the “Back” button and then edit the Kibana settings in “Edit user settings” section. Add the following values
3. You can adjust the description etc. Note that the “realm” value is same as we used in the role mapping.
   
4. Click the “Back” button and then “Save” button so the changes can be saved. Let the deployment restart. Once the Kibana is back you should see an additional login option on the login screen,

Clicking on the custom login you should be able to authenticate on the Google account and be able to login to Kibana as a superuser.

You can adjust the role mappings etc. to fine tune the granularity of the permissions.