Search Guard SSO

Hi,

Question on SSO

Can Search Guard redirect to an SSO proxy if the verified user and roles are not set in the header?
Or does it always assume the request came thru the SSO proxy first?

At the moment we assume that the requests come through the SSO proxy, yes. If no proxy credentials are found in the header, proxy authentication fails and we continue with the next configured authenticator (if any). That’s because you can actually chain multiple authenticators, so you can have proxy authentication, and if no credentials are found, you could fall back to HTTP Basic Authentication for example.

···

On Monday, July 31, 2017 at 3:06:43 PM UTC+2, MT wrote:

Hi,

Question on SSO

https://github.com/floragunncom/search-guard-docs/blob/master/proxy_auth.md

Can Search Guard redirect to an SSO proxy if the verified user and roles are not set in the header?
Or does it always assume the request came thru the SSO proxy first?

Ok thanks. So, without the fall back to HTTP Basic Auth. Does the below approach make sense:

If NginX (https://nginx.org/en/docs/http/ngx_http_auth_request_module.html) handles the SSO and sets the user and role in the header.

What happens if the user and role set in the header is not authorized to access Kibana based on SG internal database settings.

Will SG Kibana pluign return a HTTP error to NginX so I can redirect to an error page.

···

On Monday, 31 July 2017 14:09:57 UTC+1, Jochen Kressin wrote:

At the moment we assume that the requests come through the SSO proxy, yes. If no proxy credentials are found in the header, proxy authentication fails and we continue with the next configured authenticator (if any). That’s because you can actually chain multiple authenticators, so you can have proxy authentication, and if no credentials are found, you could fall back to HTTP Basic Authentication for example.

On Monday, July 31, 2017 at 3:06:43 PM UTC+2, MT wrote:

Hi,

Question on SSO

https://github.com/floragunncom/search-guard-docs/blob/master/proxy_auth.md

Can Search Guard redirect to an SSO proxy if the verified user and roles are not set in the header?
Or does it always assume the request came thru the SSO proxy first?