Search Guard SSO

MT1 · July 31, 2017, 1:06pm

Hi,

Question on SSO

https://github.com/floragunncom/search-guard-docs/blob/master/proxy_auth.md

Can Search Guard redirect to an SSO proxy if the verified user and roles are not set in the header?
Or does it always assume the request came thru the SSO proxy first?

jkressin · July 31, 2017, 1:09pm

At the moment we assume that the requests come through the SSO proxy, yes. If no proxy credentials are found in the header, proxy authentication fails and we continue with the next configured authenticator (if any). That’s because you can actually chain multiple authenticators, so you can have proxy authentication, and if no credentials are found, you could fall back to HTTP Basic Authentication for example.

···

On Monday, July 31, 2017 at 3:06:43 PM UTC+2, MT wrote:

Hi,

Question on SSO

https://github.com/floragunncom/search-guard-docs/blob/master/proxy_auth.md

Can Search Guard redirect to an SSO proxy if the verified user and roles are not set in the header?
Or does it always assume the request came thru the SSO proxy first?

MT1 · August 1, 2017, 11:31am

Ok thanks. So, without the fall back to HTTP Basic Auth. Does the below approach make sense:

If NginX (https://nginx.org/en/docs/http/ngx_http_auth_request_module.html) handles the SSO and sets the user and role in the header.

What happens if the user and role set in the header is not authorized to access Kibana based on SG internal database settings.

Will SG Kibana pluign return a HTTP error to NginX so I can redirect to an error page.

···

On Monday, 31 July 2017 14:09:57 UTC+1, Jochen Kressin wrote:

At the moment we assume that the requests come through the SSO proxy, yes. If no proxy credentials are found in the header, proxy authentication fails and we continue with the next configured authenticator (if any). That’s because you can actually chain multiple authenticators, so you can have proxy authentication, and if no credentials are found, you could fall back to HTTP Basic Authentication for example.

On Monday, July 31, 2017 at 3:06:43 PM UTC+2, MT wrote:

Hi,

Question on SSO

https://github.com/floragunncom/search-guard-docs/blob/master/proxy_auth.md

Can Search Guard redirect to an SSO proxy if the verified user and roles are not set in the header?
Or does it always assume the request came thru the SSO proxy first?

Topic		Replies	Views
Configure searchguard to work with SSO Search Guard	1	511	August 22, 2017
Problems using HTTP-header/Proxy based authentication Search Guard	3	824	May 3, 2018
Problems with proxy users/roles Search Guard	29	2024	February 6, 2018
[Proxy Authentication] Issue in getting headers from SSO Session results in Kibana not loading correctly (bootstrap.js unauthorized error) Search Guard	8	742	February 11, 2021
Searchguard Proxy Authentication Create User when it does not exist? Search Guard	4	514	July 15, 2020

Search Guard SSO

Related Topics