diff --git a/docs/settings/security-settings.asciidoc b/docs/settings/security-settings.asciidoc index 058d53118b076..c7fce25b571c7 100644 --- a/docs/settings/security-settings.asciidoc +++ b/docs/settings/security-settings.asciidoc @@ -30,6 +30,125 @@ You do not need to configure any additional settings to use the |=== +[float] +[[authentication-security-settings]] +==== Authentication security settings + +You configure authentication settings in the `xpack.security.authc` namespace in `kibana.yml`. + +For example: + +[source,yaml] +---------------------------------------- +xpack.security.authc: + providers: + basic.basic1: <1> + order: 0 <2> + ... + + saml.saml1: <3> + order: 1 + ... + + saml.saml2: <4> + order: 2 + ... + + pki.realm3: + order: 3 + ... + ... +---------------------------------------- +<1> Specifies the type of authentication provider (for example, `basic`, `token`, `saml`, `oidc`, `kerberos`, `pki`) and the provider name. This setting is mandatory. +<2> Specifies the order of the provider in the authentication chain and on the Login Selector UI. This setting is mandatory. +<3> Specifies the settings for the SAML authentication provider with a `saml1` name. +<4> Specifies the settings for the SAML authentication provider with a `saml2` name. + +The valid settings in the `xpack.security.authc.providers` namespace vary depending on the authentication provider type. For more information, refer to <>. + +[float] +[[authentication-provider-settings]] +===== Valid settings for all authentication providers + +[cols="2*<"] +|=== +| `xpack.security.authc.providers.` +`..enabled` +| Determines if the authentication provider should be enabled. By default, {kib} enables the provider as soon as you configure any of its properties. + +| `xpack.security.authc.providers.` +`..order` +| Order of the provider in the authentication chain and on the Login Selector UI. + +| `xpack.security.authc.providers.` +`..description` +| Custom description of the provider entry displayed on the Login Selector UI. + +| `xpack.security.authc.providers..` +`.showInSelector` +| Flag that indicates if the provider should have an entry on the Login Selector UI. Setting this to `false` doesn't remove the provider from the authentication chain. + +2+a| +[TIP] +[NOTE] +============ +You are unable to set this setting to `false` for `basic` and `token` authentication providers. +============ + +|=== + +[float] +[[saml-authentication-provider-settings]] +===== SAML authentication provider settings + +In addition to <>, you can specify the following settings: + +[cols="2*<"] +|=== +| `xpack.security.authc.providers.` +`saml..realm` +| SAML realm in {es} that provider should use. + +| `xpack.security.authc.providers.` +`saml..maxRedirectURLSize` +| Specifies the maximum size of the URL that {kib} is allowed to store during the SAML handshake. + +|=== + +[float] +[[oidc-authentication-provider-settings]] +===== OpenID Connect authentication provider settings + +In addition to <>, you can specify the following settings: + +[cols="2*<"] +|=== +| `xpack.security.authc.providers.` +`oidc..realm` +| OpenID Connect realm in {es} that the provider should use. + +|=== + +[float] +[[http-authentication-settings]] +===== HTTP authentication settings + +There is a very limited set of cases when you'd want to change these settings. For more information, refer to <>. + +[cols="2*<"] +|=== +| `xpack.security.authc.http.enabled` +| Determines if HTTP authentication should be enabled. By default, this setting is set to `true`. + +| `xpack.security.authc.http.autoSchemesEnabled` +| Determines if HTTP authentication schemes used by the enabled authentication providers should be automatically supported during HTTP authentication. By default, this setting is set to `true`. + +| `xpack.security.authc.http.schemes[]` +| List of HTTP authentication schemes that {kib} HTTP authentication should support. By default, this setting is set to `['apikey']` to support HTTP authentication with <> scheme. + +|=== + + [float] [[security-ui-settings]] ==== User interface security settings