Security settings in Kibana
editSecurity settings in Kibana
editYou do not need to configure any additional settings to use the security features in Kibana. They are enabled by default.
General security settings
edit
|
By default, Kibana automatically detects whether to enable the
security features based on the license and whether Elasticsearch security features
are enabled. |
|
Set to |
Authentication security settings
editYou configure authentication settings in the xpack.security.authc
namespace in kibana.yml
.
For example:
xpack.security.authc: providers: basic.basic1: order: 0 ... saml.saml1: order: 1 ... saml.saml2: order: 2 ... pki.realm3: order: 3 ... ...
Specifies the type of authentication provider (for example, |
|
Specifies the order of the provider in the authentication chain and on the Login Selector UI. This setting is mandatory. |
|
Specifies the settings for the SAML authentication provider with a |
|
Specifies the settings for the SAML authentication provider with a |
The valid settings in the xpack.security.authc.providers
namespace vary depending on the authentication provider type. For more information, refer to Authentication.
Valid settings for all authentication providers
edit
|
Determines if the authentication provider should be enabled. By default, Kibana enables the provider as soon as you configure any of its properties. |
|
Order of the provider in the authentication chain and on the Login Selector UI. |
|
Custom description of the provider entry displayed on the Login Selector UI. |
|
Custom hint for the provider entry displayed on the Login Selector UI. |
|
Custom icon for the provider entry displayed on the Login Selector UI. |
|
Flag that indicates if the provider should have an entry on the Login Selector UI. Setting this to |
You are unable to set this setting to false
for basic
and token
authentication providers.
|
Access agreement text in Markdown format. For more information, refer to Access agreement. |
SAML authentication provider settings
editIn addition to the settings that are valid for all providers, you can specify the following settings:
|
SAML realm in Elasticsearch that provider should use. |
|
The maximum size of the URL that Kibana is allowed to store during the authentication SAML handshake. For more information, refer to SAML and long URLs. |
OpenID Connect authentication provider settings
editIn addition to the settings that are valid for all providers, you can specify the following settings:
|
OpenID Connect realm in Elasticsearch that the provider should use. |
HTTP authentication settings
editThere is a very limited set of cases when you’d want to change these settings. For more information, refer to HTTP authentication.
|
Determines if HTTP authentication should be enabled. By default, this setting is set to |
|
Determines if HTTP authentication schemes used by the enabled authentication providers should be automatically supported during HTTP authentication. By default, this setting is set to |
|
List of HTTP authentication schemes that Kibana HTTP authentication should support. By default, this setting is set to |
Login Selector UI settings
edit
|
Determines if the Login Selector UI should be enabled. By default, this setting is set to |
User interface security settings
editYou can configure the following settings in the kibana.yml
file.
|
Sets the name of the cookie used for the session. The default value is |
|
An arbitrary string of 32 characters or more that is used to encrypt credentials in a cookie. It is crucial that this key is not exposed to users of Kibana. By default, a value is automatically generated in memory. If you use that default behavior, all sessions are invalidated when Kibana restarts. In addition, high-availability deployments of Kibana will behave unexpectedly if this setting isn’t the same for all instances of Kibana. |
|
Sets the |
|
Sets the |
|
Sets the session duration. By default, sessions stay active until the browser is closed. When this is set to an explicit idle timeout, closing the browser still requires the user to log back in to Kibana. |
The format is a string of <count>[ms|s|m|h|d|w|M|Y]
(e.g. 70ms, 5s, 3d, 1Y).
|
Sets the maximum duration, also known as "absolute timeout". By default,
a session can be renewed indefinitely. When this value is set, a session will end
once its lifespan is exceeded, even if the user is not idle. NOTE: if |
The format is a
string of <count>[ms|s|m|h|d|w|M|Y]
(e.g. 70ms, 5s, 3d, 1Y).
|
Adds a message to the login screen. Useful for displaying information about maintenance windows, links to corporate sign up pages etc. |
|
Adds a message accessible at the Login Selector UI with additional help information for the login process. |