Searchguard Proxy Authentication Create User when it does not exist?

Hey guys,

I’ve setup proxy authenticaiton towards kibana and elastic using searchguard now and it works when I pass x-proxy-user in the header when the user exists in Kibana. And I was wondering: Is there any way to check if the user from x-proxy-user header exists in kibana and if not create it with the rights based on some other parameters passed in the header?


…if the user from x-proxy-user header exists…

No. The x-proxy-user is mandatory

This sounds like a hole in security. Because anybody who looked at the code and saw those “other parameters” can create a user.

What do you want to achieve? Give a concrete use case.

My use case is:

I have setup a reverse proxy (apache) which is talking to an SSO application (keycloak). Once you are authenticated towards keycloak your user will be redirected in the header to kibana. It works. But the user must ofcourse exist in kibana first.

My idea was: if it is possible to grant the user access to kibana even though he did not exist in kibana before. So I thought because the SSO application “told” that this user exist and his groups are known (and maybe some othe rparameters) I could create the user with the respective roles in kibana based on his parameters in keycloak (or based on his active directory groups) and grant him access without doing this manually.

You can map Keycloak users to Search Guard roles