Security settings in Kibana
You do not need to configure any additional settings to use the security features in Kibana. They are enabled by default.
General security settings
| By default, Kibana automatically detects whether to enable the security features based on the license and whether Elasticsearch security features are enabled. |
| Set to |
Authentication security settings
You configure authentication settings in the xpack.security.authc
namespace in kibana.yml
.
For example:
xpack.security.authc:
providers:
basic.basic1:
order: 0
...
saml.saml1:
order: 1
...
saml.saml2:
order: 2
...
pki.realm3:
order: 3
...
...
Specifies the type of authentication provider (for example, | |
Specifies the order of the provider in the authentication chain and on the Login Selector UI. This setting is mandatory. | |
Specifies the settings for the SAML authentication provider with a | |
Specifies the settings for the SAML authentication provider with a |
The valid settings in the xpack.security.authc.providers
namespace vary depending on the authentication provider type. For more information, refer to Authentication.
Valid settings for all authentication providersedit
You are unable to set this setting to false
for basic
and token
authentication providers.
| Access agreement text in Markdown format. For more information, refer to Access agreement. |
SAML authentication provider settingsedit
In addition to the settings that are valid for all providers, you can specify the following settings:
SAML realm in Elasticsearch that provider should use. | |
| The maximum size of the URL that Kibana is allowed to store during the authentication SAML handshake. For more information, refer to SAML and long URLs. |
OpenID Connect authentication provider settingsedit
In addition to the settings that are valid for all providers, you can specify the following settings:
OpenID Connect realm in Elasticsearch that the provider should use. |
HTTP authentication settingsedit
There is a very limited set of cases when you’d want to change these settings. For more information, refer to HTTP authentication.
| Determines if HTTP authentication should be enabled. By default, this setting is set to |
| Determines if HTTP authentication schemes used by the enabled authentication providers should be automatically supported during HTTP authentication. By default, this setting is set to |
| List of HTTP authentication schemes that Kibana HTTP authentication should support. By default, this setting is set to |
Login Selector UI settingsedit
Adds a message to the login UI. Useful for displaying information about maintenance windows, links to corporate sign up pages, and so on. | |
Adds a message accessible at the login UI with additional help information for the login process. | |
Determines if the login selector UI should be enabled. By default, this setting is set to |
User interface security settings
You can configure the following settings in the kibana.yml
file.
| Sets the name of the cookie used for the session. The default value is |
An arbitrary string of 32 characters or more that is used to encrypt credentials in a cookie. It is crucial that this key is not exposed to users of Kibana. By default, a value is automatically generated in memory. If you use that default behavior, all sessions are invalidated when Kibana restarts. In addition, high-availability deployments of Kibana will behave unexpectedly if this setting isn’t the same for all instances of Kibana. | |
Sets the | |
Sets the | |
Sets the session duration. By default, sessions stay active until the browser is closed. When this is set to an explicit idle timeout, closing the browser still requires the user to log back in to Kibana. |
The format is a string of <count>[ms|s|m|h|d|w|M|Y]
(e.g. 70ms, 5s, 3d, 1Y).
Sets the maximum duration, also known as “absolute timeout”. By default, a session can be renewed indefinitely. When this value is set, a session will end once its lifespan is exceeded, even if the user is not idle. NOTE: if |
The format is a string of <count>[ms|s|m|h|d|w|M|Y]
(e.g. 70ms, 5s, 3d, 1Y).
| Adds a message to the login screen. Useful for displaying information about maintenance windows, links to corporate sign up pages etc. |
| Adds a message accessible at the Login Selector UI with additional help information for the login process. |