Commit Graph

24 Commits

Author SHA1 Message Date
Adam Locke 13b8715a56
[DOCS] Adding redirect for cross-link from Cloud (#73351) (#73383) 2021-05-25 15:07:35 -04:00
Adam Locke aa66724d1c
[DOCS] Add redirects for Cloud pages to SAML and OIDC docs (#73343) (#73348) 2021-05-24 17:43:46 -04:00
James Rodewig 693807a6d3
[DOCS] Fix double spaces (#71082) 2021-03-31 09:57:47 -04:00
Adam Locke 8dd563134c
[DOCS] Overhaul TLS security docs (#68946)
* Removing security overview and condensing.

* Adding new security file.

* Minor changes.

* Removing link to pass build.

* Adding minimal security page.

* Adding minimal security page.

* Changes to intro.

* Add basic and basic + http configurations.

* Lots of changes, removed files, and redirects.

* Moving some AD and LDAP sections, plus more redirects.

* Redirects for SAML.

* Updating snippet languages and redirects.

* Adding another SAML redirect.

* Hopefully fixing the ci/2 error.

* Fixing another broken link for SAML.

* Adding what's next sections and some cleanup.

* Removes both security tutorials from the TOC.

* Adding redirect for removed tutorial.

* Add graphic for Elastic Security layers.

* Incorporating reviewer feedback.

* Update x-pack/docs/en/security/securing-communications/security-basic-setup.asciidoc

Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>

* Update x-pack/docs/en/security/securing-communications/security-minimal-setup.asciidoc

Co-authored-by: Yang Wang <ywangd@gmail.com>

* Update x-pack/docs/en/security/securing-communications/security-basic-setup.asciidoc

Co-authored-by: Yang Wang <ywangd@gmail.com>

* Update x-pack/docs/en/security/index.asciidoc

Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>

* Update x-pack/docs/en/security/securing-communications/security-basic-setup-https.asciidoc

Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>

* Apply suggestions from code review

Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
Co-authored-by: Yang Wang <ywangd@gmail.com>

* Additional changes from review feedback.

* Incorporating reviewer feedback.

* Incorporating more reviewer feedback.

* Clarify that TLS is for authenticating nodes

Co-authored-by: Tim Vernum <tim@adjective.org>

* Clarify security between nodes

Co-authored-by: Tim Vernum <tim@adjective.org>

* Clarify that TLS is between nodes

Co-authored-by: Tim Vernum <tim@adjective.org>

* Update title for configuring Kibana with a password

Co-authored-by: Tim Vernum <tim@adjective.org>

* Move section for enabling passwords between Kibana and ES to minimal security.

* Add section for transport description, plus incorporate more reviewer feedback.

* Moving operator privileges lower in the navigation.

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Co-authored-by: Ioannis Kakavas <ikakavas@protonmail.com>
Co-authored-by: Yang Wang <ywangd@gmail.com>
Co-authored-by: Tim Vernum <tim@adjective.org>
2021-03-25 11:54:39 -04:00
James Rodewig 9b88ae92e6
[DOCS] Fix typos for duplicate words (#69125) 2021-02-17 10:34:20 -05:00
James Rodewig 217586efec
[DOCS] Fix Kibana timeout settings refs (#68594)
Co-authored-by: Larry Gregory <lgregorydev@gmail.com>
2021-02-05 13:00:12 -05:00
Adam Locke b0a98f9515
[DOCS] Adding authorization_realms setting for OIDC (#64877)
* Adding authorization_realms setting for OIDC.

* Fix typo

* Splitting note into separate notes.
2020-11-16 11:22:46 -05:00
Ioannis Kakavas cd58f2a22e
Update logout guide for OIDC (#61624)
Kibana has changed the routes for the `logged_out` page in latest
releases and also now offers a login selector. This commit updates
the OIDC guide to reflect that.
2020-09-01 13:06:37 +03:00
James Rodewig 512649c990
[DOCS] Add data streams to security docs (#59084) 2020-07-08 11:54:55 -04:00
Ioannis Kakavas 2217705a7c
Map only specific type of OIDC Claims (#58524)
This commit changes our behavior in 2 ways:

- When mapping claims to user properties ( principal, email, groups,
name), we only handle string and array of string type. Previously
we would fail to recognize an array of other types and that would
cause failures when trying to cast to String.
- When adding unmapped claims to the user metadata, we only handle
string, number, boolean and arrays of these. Previously, we would
fail to recognize an array of other types and that would cause
failures when attempting to process role mappings.

For user properties that are inherently single valued, like
principal(username) we continue to support arrays of strings where
we select the first one in case this is being depended on by users
but we plan on removing this leniency in the next major release.
2020-07-06 10:02:25 +10:00
Ioannis Kakavas de30a0e18e
Fix responses for the token APIs (#54532)
This commit fixes our behavior regarding the responses we
return in various cases for the use of token related APIs.
More concretely:

- In the Get Token API with the `refresh` grant, when an invalid
(already deleted, malformed, unknown) refresh token is used in the
body of the request, we respond with `400` HTTP status code
 and an `error_description` header with the message "could not 
refresh the requested token".
Previously we would return erroneously return a  `401` with "token 
malformed" message.

- In the Invalidate Token API, when using an invalid (already
deleted, malformed, unknown) access or refresh token, we respond
with `404` and a body that shows that no tokens were invalidated:
   ```
   {
     "invalidated_tokens":0,
     "previously_invalidated_tokens":0,
      "error_count":0
   }
   ``` 
   The previous behavior would be to erroneously return 
a `400` or `401` ( depending on the case ).

- In the Invalidate Token API, when the tokens index doesn't
exist or is closed, we return `400` because we assume this is
a user issue either because they tried to invalidate a token
when there is no tokens index yet ( i.e. no tokens have
been created yet or the tokens index has been deleted ) or the
index is closed. 

- In the Invalidate Token API, when the tokens index is 
unavailable, we return a `503` status code because
we want to signal to the caller of the API that the token they 
tried to invalidate was not invalidated and we can't be sure
if it is still valid or not, and that they should try the request
again. 


Resolves: #53323
2020-04-16 09:35:44 +03:00
Aleh Zasypkin 129031c3d2
Switch to the most recent Kibana configuration format and SAML/OIDC endpoints. (#50652) 2020-04-02 08:00:34 +02:00
Larry Gregory fa4869a94b Deprecating kibana_user and kibana_dashboard_only_user roles (#46456)
This change adds a new `kibana_admin` role, and deprecates
the old `kibana_user` and`kibana_dashboard_only_user`roles.

The deprecation is implemented via a new reserved metadata
attribute, which can be consumed from the API and also triggers
deprecation logging when used (by a user authenticating to
Elasticsearch).

Some docs have been updated to avoid references to these
deprecated roles.

Co-authored-by: Tim Vernum <tim@adjective.org>
Co-authored-by: Larry Gregory <legrego@users.noreply.github.com>
2020-01-14 18:08:44 +11:00
Lisa Cawley dd22ea6a28
[DOCS] Adds missing references to oidc realms (#48224) 2019-10-29 08:55:15 -07:00
Lisa Cawley 09071116b0
[DOCS] Security link fixes (#48172) 2019-10-17 07:19:17 -07:00
Ioannis Kakavas f68b036a7b
Document SAML APIs (#45105)
* Document SAML APIs

This change adds documentation for the SAML APIs in Elasticsearch
and adds simple instructions on how these APIs can be used to
authenticate a user with SAML by a custom web application other
than Kibana.

Resolves: #40352

* typo

* fix links

* fix more links

* [DOCS] Fixes broken link

* Add metadata file with shorter names for docs, fix typos and mute tests

* [DOCS] Reformats the SAML APIs to match API template

* Apply suggestions from code review

Co-Authored-By: Lisa Cawley <lcawley@elastic.co>

* Address feedback and add small section on IdP-initiated SSO handling

* address feedback

* moar feedback

* Clarifications and addressing feedback

* properly resolve conflicts

* address feedback

* fix doc links

* minor fixes

* Fix reference
2019-10-11 15:30:21 +03:00
Lisa Cawley 4e4990c6a0
[DOCS] Cleans up links to security content (#47610) 2019-10-04 16:10:26 -07:00
Lisa Cawley c120dd2017
[DOCS] Adds missing security anchors (#47585) 2019-10-04 10:16:16 -07:00
James Rodewig 5c78f606c2
[DOCS] Change // CONSOLE comments to [source,console] (#46440) 2019-09-09 10:45:37 -04:00
Aleh Zasypkin d528da3764
Document support of OIDC Implicit flow in Kibana. (#45693) 2019-09-04 18:20:57 +02:00
Ioannis Kakavas 13179b28cc
Allow Transport Actions to indicate authN realm (#45767)
This commit allows the Transport Actions for the SSO realms to
indicate the realm that should be used to authenticate the
constructed AuthenticationToken. This is useful in the case that
many authentication realms of the same type have been configured
and where the caller of the API(Kibana or a custom web app) already
know which realm should be used so there is no need to iterate all
the realms of the same type.
The realm parameter is added in the relevant REST APIs as optional
so as not to introduce any breaking change.
2019-08-25 18:00:33 +03:00
marcos ramos eedda3d585 Fix OIDC documentation settings (#44115)
Current kibana setting is xpack.security.auth.oidc.realm, 
but the correct  one is xpack.security.authc.oidc.realm
2019-07-09 18:50:53 +03:00
Ioannis Kakavas 026f0f7e36
OIDC Guide additions (#42555)
- Call out the fact that the SSL Configuration is important and
offer a minimal example of configuring a custom CA for trust.
- Add information about the `op.issuer` that was missing and add
information about the `rp.post_logout_redirect` in the example
since `op.endsession_endpoint` was already mentioned there and
these two should be together
- Explain that `op.jwkset_path` can be a URL.
2019-06-04 10:14:17 +03:00
Ioannis Kakavas 18f3b27e8f
OpenID Connect realm guide (#41423)
This commit adds a configuration guide for the newly introduced
OpenID Connect realm. The guide is similar to the style of the
SAML Guide and shares certain parts where applicable (role mapping)
It also contains a short section on how the realm can be used for
authenticating users without Kibana.

Co-Authored-By: Lisa Cawley <lcawley@elastic.co>
2019-05-20 13:47:58 +03:00