[DOCS] Add SAML configuration information #30548
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lcawl
added
>docs
|
Pinging @elastic/es-security |
tvernum
approved these changes
May 16, 2018
|
|
||
| * If you configure a SAML realm for use in {kib}, you should also configure | ||
| another realm, such as the native realm in your authentication chain. | ||
| * These instructions assume that you have an existing identity provider. |
There was a problem hiding this comment.
I think it's probably worth saying "SAML identity provider" here
| ------------------------------------------------------------ | ||
| -- | ||
|
|
||
| . Generate a SAML metadata file. |
There was a problem hiding this comment.
I would suggest "Configure a SAML IdP metadata file"
"Generate" might lead people to use our saml-metadata utility which is not correct.
We've also had a couple of support cases of people not understanding the distinction between IdP metadata and SP metadata, so I think that it's worth being super clear here.
There was a problem hiding this comment.
Thanks @tvernum. I think I must have assumed the same, since I was missing that step. I've added it now, but I'm still uncertain which steps (if any) you can skip after importing that file. Can you help clarify?
tvernum
reviewed
May 17, 2018
| Some identity providers can import metadata about service providers. | ||
| //TBD: What steps (if any) does this enable you to skip? | ||
| You can generate SP metadata for the {stack} by using the <<saml-metadata,`elasticsearch-saml-metadata` command>>. | ||
| -- |
There was a problem hiding this comment.
This allows you to skip some steps on the Identity Provider side, none of which we document.
As well as the steps we document here for configuring the Elastic Stack, there will be some steps on the IdP side to configure ES/Kibana as a Service Provider.
For a few of them, that's as simple as importing the sp-metadata file.
For others it's a bunch of clicking around in confusing GUIs.
There was a problem hiding this comment.
Thanks, @tvernum, I've clarified that step.
lcawl
added a commit
that referenced
this pull request
May 22, 2018
lcawl
added a commit
that referenced
this pull request
May 22, 2018
dnhatn
added a commit
that referenced
this pull request
May 22, 2018
* master: QA: Add xpack tests to rolling upgrade (#30795) Modify state of VerifyRepositoryResponse for bwc (#30762) Reduce CLI scripts to one-liners on Windows (#30772) Simplify number of shards setting (#30783) Replace Request#setHeaders with addHeader (#30588) [TEST] remove endless wait in RestClientTests (#30776) [Docs] Fix script-fields snippet execution (#30693) Upgrade to Lucene-7.4.0-snapshot-cc2ee23050 (#30778) [DOCS] Add SAML configuration information (#30548) [DOCS] Remove X-Pack references from SQL CLI (#30694) Make http pipelining support mandatory (#30695) [Docs] Fix typo in circuit breaker docs (#29659) [Feature] Adding a char_group tokenizer (#24186) [Docs] Fix broken cross link in documentation Test: wait for netty threads in a JUnit ClassRule (#30763) Increase the maximum number of filters that may be in the cache. (#30655) [Security] Include an empty json object in an json array when FLS filters out all fields (#30709) [TEST] Wait for CS to be fully applied in testDeleteCreateInOneBulk Add more yaml tests for get alias API (#29513) Ignore empty completion input (#30713) [DOCS] fixed incorrect default [ML] Filter undefined job groups from update calendar actions (#30757) Fix docs failure on language analyzers (#30722) [Docs] Fix inconsistencies in snapshot/restore doc (#30480) Enable installing plugins from snapshots.elastic.co (#30765) Remove fedora 26, add 28 (#30683) Accept Gradle build scan agreement (#30645) Remove logging from elasticsearch-nio jar (#30761) Add Delete Repository High Level REST API (#30666)
dnhatn
added a commit
that referenced
this pull request
May 24, 2018
* 6.x: [DOCS] Fixes typos in security settings Add support for indexed shape routing in geo_shape query (#30760) [DOCS] Splits auditing.asciidoc into smaller files Painless: Types Section Clean Up (#30283) [test] java tests for archive packaging (#30734) Deprecate http.pipelining setting (#30786) [DOCS] Fix more edit URLs in Stack Overview (#30704) Use correct cluster state version for node fault detection (#30810) [DOCS] Fixes broken link for native realm [DOCS] Clarified audit.index.client.hosts (#30797) Change serialization version of doc-value fields. Add a `format` option to `docvalue_fields`. (#29639) [TEST] Don't expect acks when isolating nodes Fixes UpdateSettingsRequestStreamableTests mutate bug Revert "Add more yaml tests for get alias API (#29513)" Revert "Mutes MachineLearningTests.testNoAttributes_givenSameAndMlEnabled" Only allow x-pack metadata if all nodes are ready (#30743) Mutes MachineLearningTests.testNoAttributes_givenSameAndMlEnabled Use original settings on full-cluster restart (#30780) Only ack cluster state updates successfully applied on all nodes (#30672) Replace Request#setHeaders with addHeader (#30588) [TEST] remove endless wait in RestClientTests (#30776) QA: Add xpack tests to rolling upgrade (#30795) Add support for search templates to the high-level REST client. (#30473) Reduce CLI scripts to one-liners on Windows (#30772) Fold RestGetAllSettingsAction in RestGetSettingsAction (#30561) Add more yaml tests for get alias API (#29513) [Docs] Fix script-fields snippet execution (#30693) Convert FieldCapabilitiesResponse to a ToXContentObject. (#30182) Remove assert statements from field caps documentation. (#30601) Fix a bug in FieldCapabilitiesRequest#equals and hashCode. (#30181) Add support for field capabilities to the high-level REST client. (#29664) [DOCS] Add SAML configuration information (#30548) [DOCS] Remove X-Pack references from SQL CLI (#30694) [Docs] Fix typo in circuit breaker docs (#29659) [Feature] Adding a char_group tokenizer (#24186) Increase the maximum number of filters that may be in the cache. (#30655) [Docs] Fix broken cross link in documentation Test: wait for netty threads in a JUnit ClassRule (#30763) [Security] Include an empty json object in an json array when FLS filters out all fields (#30709) [DOCS] fixed incorrect default [TEST] Wait for CS to be fully applied in testDeleteCreateInOneBulk Enable installing plugins from snapshots.elastic.co (#30765) Ignore empty completion input (#30713) Fix docs failure on language analyzers (#30722) [Docs] Fix inconsistencies in snapshot/restore doc (#30480) Add Delete Repository High Level REST API (#30666) Reduce CLI scripts to one-liners (#30759)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a "Configure a SAML realm" task to the Elasticsearch Reference, to match similar information for the other realms (e.g. https://www.elastic.co/guide/en/elasticsearch/reference/master/configuring-file-realm.html).
At this point it links to the https://www.elastic.co/guide/en/elastic-stack-overview/master/saml-guide.html for a lot of details. Some more redundancies might be cleaned up in subsequent PRs.