Hello,
I’m currently attempting to set up SAML authentication for Kibana with two options. One is for users connecting via an internal VPN with a kibana_url set to a non-publicly available address. The other is for users who aren’t accessing via VPN and is an Azure Active Directory Application Proxy. Both work correctly when configured as the only option. However if trying to run both at once, I can only get one working at a time.
My config.yml looks something like this:
---
_meta:
type: "config"
config_version: 2
config:
dynamic:
authc:
basic_internal_auth_domain:
order: 0
http_authenticator:
type: basic
challenge: false
authentication_backend:
type: internal
saml_auth_domain_proxy:
http_enabled: true
transport_enabled: false
order: 1
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_url: <metadata_url_1>
entity_id: <appropriate_entity_id>
sp:
entity_id: <appropriate_entity_id>
kibana_url: <KIBANA_URL_FOR_PROXY_SAML>
roles_key: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
exchange_key: <exchange_key>
authentication_backend:
type: noop
saml_auth_domain_vpn:
http_enabled: true
transport_enabled: false
order: 2
http_authenticator:
type: saml
challenge: true
config:
idp:
metadata_url: <metadata_url_2>
entity_id: <appropriate_entity_id>
sp:
entity_id: <appropriate_entity_id>
kibana_url: <KIBANA_URL_FOR_VPN_SAML>
roles_key: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
exchange_key: <exchange_key_2>
authentication_backend:
type: noop
My understanding from the docs was that if the option with order: 1
failed then it would then attempt the order: 2
configuration, however in the case where it fails on the first it simply throws a SAML error in Kibana and stops.
I’m likely misunderstanding the docs, but if someone could confirm or suggest an alternative that would be fantastic, thanks.