Dashboard embed URL lands at the space selector

Hi,
We are trying to embed a link to a specific dashboard into our product portal using JWT tokens in the URL parameter and the problem we run into is that instead of landing directly on the dashboard, the page lands at the space selector for the first time (on a new browser session). Subsequent reloads on the same browser session land the page at the dashboard, but the first one always goes to the space selector. Is this a known issue? If so, is there a workaround for this.
Here are my setup details.

1. JWT and Basic Auth enabled at Elasticsearch. JWT is through Auth Header from Kibana to ES
2. JWT token based auth at Kibana with URL param used for passing the token
3. Tenant, roles and role mappings created in the system where roles map to our backend roles (passed through roles and subject field in the JWT)
4. After this we go to a specific dashboard for a tenant and get the “embed” link to the saved object
5. We ran with two cases (1) direct link on the browser window. (2) link embedded in an iframe from a server hosted on the same domain.

In both cases, what we noticed is that when we open a fresh browser, the first time it almost always lands on the space selector. Once we choose a space, a subsequent reload will take it to the dashboard. This does not happen when we run with base Kibana (not using tenants and JWT tokens)
Thanks for any help that you can give on this. This will be a blocker for us in deployment.

Hi.
We need more information to help you.

1. What SG version do you use?
2. sg_config.yml.
3. searchgurad.yml.
4. kibana.yml.

Also, send logs.

1. Elasticsearch logs.
2. Kibana logs.

Attaching the config details here. Can i send you the logs in a private message? they have some proprietary information.

1. SG Version - Elasticsearch 7.8.1 with Search Guard 7

2. Here are the config files.
   Kibana.yml
   server.host: “0.0.0.0”
   server.basePath: “/kdb”
   server.rewriteBasePath: true
   elasticsearch.hosts: [“https://es-node1:9200”, “https://es-node2:9200”, “https://es-node3:9200”]
   elasticsearch.username: “kibanaserver”
   elasticsearch.password: “kibanaserver”
   xpack.security.enabled: false
   elasticsearch.ssl.certificateAuthorities: “/usr/share/kibana/config/certs/root-ca.pem”
   searchguard.multitenancy.enabled: true
   elasticsearch.requestHeadersWhitelist: [“sgtenant”, “Authorization”]
   searchguard.multitenancy.tenants.preferred: [“Private”, “Global”]
   searchguard.auth.type: “jwt”
   searchguard.jwt.url_param: ‘jwttoken’
   searchguard.jwt.header: ‘Authorization’

sg_config.yml (just the used portions)
_sg_meta:
type: “config”
config_version: 2

sg_config:
dynamic:
do_not_fail_on_forbidden: true
kibana:
multitenancy_enabled: true
server_username: kibanaserver
index: ‘.kibana’
http:
anonymous_auth_enabled: false
xff:
enabled: false
internalProxies: ‘192.168.0.10|192.168.0.11’ # regex pattern
authc:
basic_internal_auth_domain:
description: “Authenticate via HTTP Basic against internal users database”
http_enabled: true
transport_enabled: true
order: 4
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: intern
jwt_auth_domain:
description: “Authenticate via Json Web Token”
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: jwt
challenge: false
config:
signing_key: AAAAAAAAAAAAAAAAAAAAAAAAAAAA
jwt_header: “Authorization”
jwt_url_parameter: null
roles_key: “roles”
subject_key: “subject”
authentication_backend:
type: noop

Wanted to add one more detail here. My Original URL that i am trying to load looks something like this

https://HOST/kdb/s/SPACE/app/kibana?jwttoken=JWTTOKEN&sg_tenant=TENANT_NAME#/dashboard/DASHBOARD_ID?embed=true&_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:now-7d,to:
now))&_a=(description:‘’,filters:!(),fullScreenMode:!f,options:(hidePanelTitles:!f,useMargins:!t),query:(language:kuery,query:‘’),timeRestore:!f,title:UberDashboard,viewMode:view)

The First load always lands at space selector. an immediate reload (within 10-15 seconds) loads the dashboard

Hi @shaliniy,

I am able to reproduce this and will try to find the cause (and hopefully a solution).
I’ll keep you posted!

Thanks for reporting this!
Best Regards
Mike

Hi @shaliniy,

I forgot to answer here, sorry! We have a fix in place and it will be included in the next release.

Thanks again!
Best Regards
Mike

Thanks, Mike. Looking forward to it.
Should i close this topic?

Mike, Any idea when the next release with the fix will be out? Thanks!

@shaliniy it is already out. Pick the latest from the list Latest Releases | Security for Elasticsearch | Search Guard

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.