Increase Kibana Timeout does not work

Search Guard
1

I wanted to increase the Timeout on Kibana from 1 hr to 1 day. I added in the following settings to kibana.yml:

kibana.yml:
searchguard.cookie.ttl: 86400000
searchguard.session.ttl: 86400000

However, I still get logged out after 1 hr.

Versions:

  • Elasticsearch: 7.1.1
  • Searchguard: 7.1.1-35.1.0
  • Kibana: 7.1.1
3

Hi there,

a couple of questions:

  1. What auth type are you using? If you have a JWT with an expiration (“exp”) value set, that trumps the other settings.
  2. Could you please check if searchguard.session.keepalive is enabled? It should be true by default though.

Best Regards
Mike

4

Thanks for the response.

  1. I have SAML auth set up with Okta, but do not have a specific value set for JWT expiration
  2. Yes the default is true, also tried adding that as explicitly, did not change anything.

I understand there might be some setting on Okta side to increase the expiration on the token.
Is there any setting on SG which refreshes/updates the token after every hour?

5

The only thing I can think of is that Okta sets the “exp” in the payload.
When authenticating, the plugin checks for that property and disables the session keepAlive:
https://github.com/floragunncom/search-guard-kibana-plugin/blob/master/lib/auth/types/saml/Saml.js#L55-L61

If the session expires, you should be redirected to Okta to login again. If you do have a valid session on the Okta side of things, this should happen more or less transparently - meaning you should be redirected back to Kibana with a valid token.

Other than that there’s no other setting I can think of.

I will try to test this and get back to you.

6

Hey Mike, did you get a chance to test your theory out?

7

Sorry for the late reply, I got caught up by the Kibana 7.2 release.

But yes, I did test it with SAML and in my test the plugin behaved as expected.
Meaning - if there is an expiration set in the response from the Identity Provider (Okta in your case), this value is respected and after the expiration, the plugin logs you out and redirects back to the Identity Provider.

If there is no expiration set, the values in Kibana.yml are used.

So unfortunately at the moment there is no way to override the expiration from the Identity Provider.

I don’t really know Okta in detail, but hopefully they’ll let you edit the expiration settings?

8

Actually I was able to fix that.
I did not have the JWT token expiry set on sg_config.yml
Adding that fixed it.

Thank you for your help.

9

Ahh that explains it. Glad it worked out for you, and thanks for posting your solution!

10

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.