Security settings in Kibana

edit

You do not need to configure any additional settings to use the security features in Kibana. They are enabled by default.

General security settings

edit

xpack.security.enabled

By default, Kibana automatically detects whether to enable the security features based on the license and whether Elasticsearch security features are enabled.

Do not set this to false; it disables the login form, user and role management screens, and authorization using Kibana privileges. To disable security features entirely, see Elasticsearch security settings.

xpack.security.audit.enabled

Set to true to enable audit logging for security events. By default, it is set to false. For more details see Audit Logging.

Authentication security settings

edit

You configure the authentication settings in the xpack.security.authc.providers namespace. For more information, refer to Authentication.

xpack.security.authc.providers

Specifies the types of authentication providers.

For example:

xpack.security.authc.providers: [saml, basic, oidc]
SAML authentication provider settings
edit

xpack.security.authc.providers. saml.<provider-name>.realm

When specified in xpack.security.authc.providers, the SAML realm in Elasticsearch that the saml provider should use.

xpack.security.authc.saml.maxRedirectURLSize

Specifies the maximum size of the URL that Kibana is allowed to store during the SAML handshake.

OpenID Connect authentication provider setting
edit

xpack.security.authc.providers. oidc.<provider-name>.realm

When specified in xpack.security.authc.providers, the OpenID Connect realm in Elasticsearch that the oidc provider should use.

User interface security settings

edit

You can configure the following settings in the kibana.yml file.

xpack.security.cookieName

Sets the name of the cookie used for the session. The default value is "sid".

xpack.security.encryptionKey

An arbitrary string of 32 characters or more that is used to encrypt credentials in a cookie. It is crucial that this key is not exposed to users of Kibana. By default, a value is automatically generated in memory. If you use that default behavior, all sessions are invalidated when Kibana restarts. In addition, high-availability deployments of Kibana will behave unexpectedly if this setting isn’t the same for all instances of Kibana.

xpack.security.secureCookies

Sets the secure flag of the session cookie. The default value is false. It is automatically set to true if server.ssl.enabled is set to true. Set this to true if SSL is configured outside of Kibana (for example, you are routing requests through a load balancer or proxy).

xpack.security.sessionTimeout

Sets the session duration. By default, sessions stay active until the browser is closed. When this is set to an explicit idle timeout, closing the browser still requires the user to log back in to Kibana.