Multiple SAML Auth options for Kibana

Hello,

I’m currently attempting to set up SAML authentication for Kibana with two options. One is for users connecting via an internal VPN with a kibana_url set to a non-publicly available address. The other is for users who aren’t accessing via VPN and is an Azure Active Directory Application Proxy. Both work correctly when configured as the only option. However if trying to run both at once, I can only get one working at a time.
My config.yml looks something like this:

---
_meta:
  type: "config"
  config_version: 2
config:
  dynamic:
    authc:
      basic_internal_auth_domain:
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal       
      saml_auth_domain_proxy:
        http_enabled: true
        transport_enabled: false
        order: 1
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: <metadata_url_1>
              entity_id: <appropriate_entity_id>
            sp:
              entity_id: <appropriate_entity_id>
            kibana_url: <KIBANA_URL_FOR_PROXY_SAML>
            roles_key: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
            exchange_key: <exchange_key>
        authentication_backend:
          type: noop  
      saml_auth_domain_vpn:
        http_enabled: true
        transport_enabled: false
        order: 2
        http_authenticator:
          type: saml
          challenge: true
          config:
            idp:
              metadata_url: <metadata_url_2>
              entity_id: <appropriate_entity_id>
            sp:
              entity_id: <appropriate_entity_id>
            kibana_url: <KIBANA_URL_FOR_VPN_SAML>
            roles_key: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
            exchange_key: <exchange_key_2>
        authentication_backend:
          type: noop       

My understanding from the docs was that if the option with order: 1 failed then it would then attempt the order: 2 configuration, however in the case where it fails on the first it simply throws a SAML error in Kibana and stops.
I’m likely misunderstanding the docs, but if someone could confirm or suggest an alternative that would be fantastic, thanks.

1 Like