|
|
@@ -44,7 +44,7 @@ called `Callback URI`.
|
|
|
At the end of the registration process, the OP will assign a Client Identifier and a Client Secret for the RP ({stack}) to use.
|
|
|
Note these two values as they will be used in the {es} configuration.
|
|
|
|
|
|
-[[oidc-guide-authentication]]
|
|
|
+[[oidc-elasticsearch-authentication]]
|
|
|
=== Configure {es} for OpenID Connect authentication
|
|
|
|
|
|
The following is a summary of the configuration steps required in order to enable authentication
|
|
|
@@ -53,7 +53,7 @@ using OpenID Connect in {es}:
|
|
|
. <<oidc-enable-http,Enable SSL/TLS for HTTP>>
|
|
|
. <<oidc-enable-token,Enable the Token Service>>
|
|
|
. <<oidc-create-realm,Create one or more OpenID Connect realms>>
|
|
|
-. <<oidc-role-mapping,Configure role mappings>>
|
|
|
+. <<oidc-role-mappings,Configure role mappings>>
|
|
|
|
|
|
[[oidc-enable-http]]
|
|
|
==== Enable TLS for HTTP
|
|
|
@@ -234,7 +234,7 @@ largely supported.
|
|
|
The goal of claims mapping is to configure {es} in such a way as to be able to map the values of
|
|
|
specified returned claims to one of the <<oidc-user-properties, user properties>> that are supported
|
|
|
by {es}. These user properties are then utilized to identify the user in the {kib} UI or the audit
|
|
|
-logs, and can also be used to create <<oidc-role-mapping, role mapping>> rules.
|
|
|
+logs, and can also be used to create <<oidc-role-mappings, role mapping>> rules.
|
|
|
|
|
|
The recommended steps for configuring OpenID Claims mapping are as follows:
|
|
|
|
|
|
@@ -298,7 +298,7 @@ NOTE: If the principal property fails to be mapped from a claim, the authenticat
|
|
|
groups:: _(Recommended)_
|
|
|
If you wish to use your OP's concept of groups or roles as the basis for a
|
|
|
user's {es} privileges, you should map them with this property.
|
|
|
- The `groups` are passed directly to your <<oidc-role-mapping, role mapping rules>>.
|
|
|
+ The `groups` are passed directly to your <<oidc-role-mappings, role mapping rules>>.
|
|
|
|
|
|
name:: _(Optional)_ The user's full name.
|
|
|
mail:: _(Optional)_ The user's email address.
|
|
|
@@ -408,7 +408,7 @@ xpack.security.authc.realms.oidc.oidc1:
|
|
|
ssl.certificate_authorities: ["/oidc/company-ca.pem"]
|
|
|
-------------------------------------------------------------------------------------
|
|
|
|
|
|
-[[oidc-role-mapping]]
|
|
|
+[[oidc-role-mappings]]
|
|
|
=== Configuring role mappings
|
|
|
|
|
|
When a user authenticates using OpenID Connect, they are identified to the Elastic Stack,
|
|
|
@@ -505,7 +505,7 @@ that pertain to the authentication event, rather than the user themselves.
|
|
|
This behaviour can be disabled by adding `populate_user_metadata: false` as
|
|
|
a setting in the oidc realm.
|
|
|
|
|
|
-[[oidc-kibana]]
|
|
|
+[[oidc-configure-kibana]]
|
|
|
=== Configuring {kib}
|
|
|
|
|
|
OpenID Connect authentication in {kib} requires a small number of additional settings
|
Adam Locke