Improve Login Selector UX

[azasypkin]

Summary

In this PR we're going to cover Login Selector UX improvements that have been proposed in #61144 and https://www.figma.com/proto/1yRyEEPb8NMcPOj2cbybQB/Kibana-SSO-login?node-id=1%3A126&scaling=min-zoom

UI/UX

Config

xpack.security.loginAssistanceMessage: "By logging in to this application you accept:\n
         * [The Corporate Terms of Use](https://google.com)\n* [Privacy Terms](...)"
xpack.security.loginHelp: "**You are accessing a system with U.S. 
         government information**"

xpack.security.authc.providers:
  basic.basic1:
    order: 0
    description: "Log in using Elasticsearch"
    hint: "Typical for most users"
    icon: "logoElastic"

  saml.saml1:
    order: 1
    realm: cloud-saml
    description: "Log in using Elastic Cloud"
    hint: "Typical for administrators"
    icon: logoCloud

  pki.pki1:
    order: 2
    description: "Log in with SSO. No icon or hint"

  oidc.oidc1:
    order: 3
    realm: google-oidc
    description: "Log in with Google"
    hint: "I have a logo and hint!"
    icon: https://upload.wikimedia.org/wikipedia/commons/5/53/Google_%22G%22_Logo.svg

Blocked: by Design Team feedback ✔️
Fixes: #61144

---

"Release Note: Login Selector UI was refined and can now offer much more customization options."

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[azasypkin]

Hey @snide!

Would you mind clarifying few more things regarding Login Selector improvements discussed in #61144 for me?

Let me try to describe the possible states and questions I have. It's a very rough draft, I only use standard EUI components without any additional styling yet, just to have something to reason about.

• GIF with the general flows to see this in action:

• Questions for screen#1:

  • Buttons have multiple possible states and this is how they look like using standard EuiCard.
    Can you please help us to figure out how all these states should look like in new design?:

    • with icon and description (Log in with Cloud)
    • with icon, but without description (Log in with Smart Card (PKI))
    • with description, but without icon (Log in with Corp SSO)
    • without both icon and description (Login with basic/basic1)

  • Since we display a button for a basic login form now, we need to come up with a default title (and maybe description), by default we'll display Log in with basic/basic1 which is suboptimal. As I mentioned previously this login form can be used for native ES login as well as for customers AD/LDAP that means that from technical standpoint it's more like vague Log in with Kibana login form, but that's probably will be confusing for our users... Do you have any ideas for the default title/description (Cloud can reconfigure that and tailor for the Cloud specific use case if they wish)?

  • Previously we used normal buttons in the login selector and leveraged their default isLoading state so that when you had a slow network connection we were displaying the loading spinner within this button before user redirected to IdP portal. With the new design I just disable these buttons (as seen in GIF). How would you suggest to handle that state in the new design?

  • Does EUI have any mixins/components to "animate" transition between Selector/Form/LoginHelp?

• Questions for screen#2:
  • ????? near the link back to selector - do you have any suggestions what we should write here? I know you have Logging in with a Kibana account in your mock ups, but I'm not sure if it works for all scenarios. Presumably it's not configurable and should work for both Cloud and non-Cloud setups (unless we use the same text we use for the button title at the Login Selector screen)

• Questions for screen#3:
  • And as we discussed previously, here we can render just one configurable markdown message. By default we can hide Need help? link if help text/markdown isn't specified and let Cloud figure that out for their use case or we can also provide a default text/markdown so that all Elastic Stack users can benefit from it with ability to change it. Whatever you feel is better.

Thanks!

[snide]

hey @azasypkin

Rather than do a back and forth on the individual screens, it might be easier to do a small writeup on how I can get my dev setup to show the options as shown. I don't mind jumping in the code (or having one of our other coding designers jump in) to help out and clean up the interactions. If that's too hard, possibly we can just fake some states in the draft PR so we can fill in the bits. I'll take a scan at what's in here now and see what I can manage.

[azasypkin]

hey @azasypkin
Rather than do a back and forth on the individual screens, it might be easier

Yep, makes sense to me. I've updated issue description with the Kibana config that one can use with this PR. Technically you don't need need to perform actual SSO login to test the flows so there is no need to re-configure ES for that, but if you'd like to be able to log in and use Kibana with SAML I can share required configuration over slack (there is some sensitive IdP info we can't share here).

I'm happy to Zoom/Slack to help with the setup or answer any questions if needed.

Thanks!

[snide]

Excellent. I've give it a shot, and if I can't figure it out today. I'll set something up tomorrow early my time and we can pair.

[snide]

@azasypkin Hope its ok. I pushed directly to your PR. I made the following changes:

• I cleaned up the styling of the selector
• The selector now has better disabled and loading states
• I cleaned up the messaging area to be a little more svelte
• I cleaned up the user/pass login with more generic language and changed the placement

For wording of the "Kibana" login, I'm gonna check with some others tomorrow and update. The best I could come up with was being very on the nose about it being "Elasticsearch".

In any case. I probably need another commit in here to clean things up some more. If you give me a way to render the "get help" stuff I can work on that part as well.

[azasypkin]

@azasypkin Hope its ok. I pushed directly to your PR. I made the following changes:

Looks awesome, thanks!

The best I could come up with was being very on the nose about it being "Elasticsearch".

Yeah, it's much closer to the truth than Kibana account at least.

If you give me a way to render the "get help" stuff I can work on that part as well.

Sure, for now it's xpack.security.loginHelp:

xpack.security.loginHelp: "**You are accessing a system with U.S. government information**"

[snide]

OK @azasypkin I'm done with the design work. I'll assume you're good to go, but feel to ping me on review when you finish up.

[azasypkin]

OK @azasypkin I'm done with the design work. I'll assume you're good to go, but feel to ping me on review when you finish up.

Yeah, I can go ahead and prepare this PR for review. Thanks a lot for the help, @snide!

For wording of the "Kibana" login, I'm gonna check with some others tomorrow and update. The best I could come up with was being very on the nose about it being "Elasticsearch".

Did you have a chance to check this? Or we're moving forward with Log in with Elasticsearch and logoElastic icon? I believe we need some defaults here, otherwise when Kibana is configured to work with multiple realms, the button for the login form will have Log in with basic/basic1-like description without icon until admins change these.

Also Need help? link won't be visible by default since we don't provide any default text right now, not sure if it matters since we didn't provide it previously either.

[snide]

@azasypkin and I chatted over Slack. Setting "Log in with Elasticsearch" as the default. Need help will be empty by default (so not used). Cloud is strongly recommended to use it for guidance and a way to link to support directly.

[legrego]

ACK: will review on Monday

[snide]

LGTM on the design side.

[legrego]

This is working great! Just a couple nits/questions.

• Let's also make sure to update kibana-docker to include the new settings

[legrego]

nit: Other classes within the security plugin start with sec. We should probably maintain this "namespace"

[azasypkin]

Yeah, I'll switch to sec or secLogin (will see) 👍

[snide]

That's fine to change. @azasypkin I'll leave these to you

[legrego]

nit class name should start with sec

[legrego]

nit class name should start with sec

[legrego]

nit class name should start with sec

[legrego]

@snide this link to return back to the login flow is bold, but the link to get to this screen is not bolded. Is that intentional?

[azasypkin]

I though it was intentional, but thanks for double checking 🙂

[snide]

The font-weight style tag should be removed.

[legrego]

We need a new pattern for this across the security screens...we abuse state in other components to achieve this, but your change to use forceUpdate is at least more explicit. You can ignore this comment, I'm just thinking out loud for the future

[azasypkin]

Yeah, totally agree.

[spalger]

Operations: Docker config change LGTM

[azasypkin]

@legrego it's ready for another pass, thanks!

[legrego]

LGTM! If we don't already have one, let's open an issue so that we add documentation for these improvements, and include a functional test or two as well before release.

[azasypkin]

If we don't already have one, let's open an issue so that we add documentation for these improvements, and include a functional test or two as well before release.

Sure, we have one for documentation already #64054 and I've just filed another one for the functional test suite #64635.

[azasypkin]

7.x/7.8.0: 75e2b8c

[kibanamachine]

💚 Build Succeeded

• continuous-integration/kibana-ci/pull-request
• Commit: 7f02155

History

• 💚 Build #43645 succeeded 7f02155
• 💚 Build #43153 succeeded 0e0ba3e
• 💔 Build #43133 failed 6daeb5d

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream