Skip to content

Commit

Permalink
[7.x] Document security settings available on ESS (#76513) (#76654)
Browse files Browse the repository at this point in the history
  • Loading branch information
legrego authored Sep 3, 2020
1 parent 775359c commit c171a6f
Showing 1 changed file with 16 additions and 16 deletions.
32 changes: 16 additions & 16 deletions docs/settings/security-settings.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -73,27 +73,27 @@ The valid settings in the `xpack.security.authc.providers` namespace vary depend
[cols="2*<"]
|===
| `xpack.security.authc.providers.`
`<provider-type>.<provider-name>.enabled`
`<provider-type>.<provider-name>.enabled` {ess-icon}
| Determines if the authentication provider should be enabled. By default, {kib} enables the provider as soon as you configure any of its properties.

| `xpack.security.authc.providers.`
`<provider-type>.<provider-name>.order`
`<provider-type>.<provider-name>.order` {ess-icon}
| Order of the provider in the authentication chain and on the Login Selector UI.

| `xpack.security.authc.providers.`
`<provider-type>.<provider-name>.description`
`<provider-type>.<provider-name>.description` {ess-icon}
| Custom description of the provider entry displayed on the Login Selector UI.

| `xpack.security.authc.providers.`
`<provider-type>.<provider-name>.hint`
`<provider-type>.<provider-name>.hint` {ess-icon}
| Custom hint for the provider entry displayed on the Login Selector UI.

| `xpack.security.authc.providers.`
`<provider-type>.<provider-name>.icon`
`<provider-type>.<provider-name>.icon` {ess-icon}
| Custom icon for the provider entry displayed on the Login Selector UI.

| `xpack.security.authc.providers.`
`<provider-type>.<provider-name>.showInSelector`
`<provider-type>.<provider-name>.showInSelector` {ess-icon}
| Flag that indicates if the provider should have an entry on the Login Selector UI. Setting this to `false` doesn't remove the provider from the authentication chain.

2+a|
Expand All @@ -104,7 +104,7 @@ You are unable to set this setting to `false` for `basic` and `token` authentica
============

| `xpack.security.authc.providers.`
`<provider-type>.<provider-name>.accessAgreement.message`
`<provider-type>.<provider-name>.accessAgreement.message` {ess-icon}
| Access agreement text in Markdown format. For more information, refer to <<xpack-security-access-agreement>>.

|===
Expand All @@ -118,11 +118,11 @@ In addition to <<authentication-provider-settings,the settings that are valid fo
[cols="2*<"]
|===
| `xpack.security.authc.providers.`
`saml.<provider-name>.realm`
`saml.<provider-name>.realm` {ess-icon}
| SAML realm in {es} that provider should use.

| `xpack.security.authc.providers.`
`saml.<provider-name>.useRelayStateDeepLink`
`saml.<provider-name>.useRelayStateDeepLink` {ess-icon}
| Determines if the provider should treat the `RelayState` parameter as a deep link in {kib} during Identity Provider initiated log in. By default, this setting is set to `false`. The link specified in `RelayState` should be a relative, URL-encoded {kib} URL. For example, the `/app/dashboards#/list` link in `RelayState` parameter would look like this: `RelayState=%2Fapp%2Fdashboards%23%2Flist`.

|===
Expand All @@ -136,7 +136,7 @@ In addition to <<authentication-provider-settings,the settings that are valid fo
[cols="2*<"]
|===
| `xpack.security.authc.providers.`
`oidc.<provider-name>.realm`
`oidc.<provider-name>.realm` {ess-icon}
| OpenID Connect realm in {es} that the provider should use.

|===
Expand Down Expand Up @@ -168,13 +168,13 @@ You can configure the following settings in the `kibana.yml` file.

[cols="2*<"]
|===
| `xpack.security.loginAssistanceMessage`
| `xpack.security.loginAssistanceMessage` {ess-icon}
| Adds a message to the login UI. Useful for displaying information about maintenance windows, links to corporate sign up pages, and so on.

| `xpack.security.loginHelp`
| `xpack.security.loginHelp` {ess-icon}
| Adds a message accessible at the login UI with additional help information for the login process.

| `xpack.security.authc.selector.enabled`
| `xpack.security.authc.selector.enabled` {ess-icon}
| Determines if the login selector UI should be enabled. By default, this setting is set to `true` if more than one authentication provider is configured.

|===
Expand Down Expand Up @@ -203,12 +203,12 @@ You can configure the following settings in the `kibana.yml` file.
this to `true` if SSL is configured outside of {kib} (for example, you are
routing requests through a load balancer or proxy).

| `xpack.security.sameSiteCookies`
| `xpack.security.sameSiteCookies` {ess-icon}
| Sets the `SameSite` attribute of the session cookie. This allows you to declare whether your cookie should be restricted to a first-party or same-site context.
Valid values are `Strict`, `Lax`, `None`.
This is *not set* by default, which modern browsers will treat as `Lax`. If you use Kibana embedded in an iframe in modern browsers, you might need to set it to `None`. Setting this value to `None` requires cookies to be sent over a secure connection by setting `xpack.security.secureCookies: true`. Some old versions of IE11 do not support `SameSite: None`.

| `xpack.security.session.idleTimeout`
| `xpack.security.session.idleTimeout` {ess-icon}
| Ensures that user sessions will expire after a period of inactivity. This and `xpack.security.session.lifespan` are both
highly recommended. By default, this setting is not set.

Expand All @@ -218,7 +218,7 @@ highly recommended. By default, this setting is not set.
The format is a string of `<count>[ms\|s\|m\|h\|d\|w\|M\|Y]` (e.g. '20m', '24h', '7d', '1w').
============

| `xpack.security.session.lifespan`
| `xpack.security.session.lifespan` {ess-icon}
| Ensures that user sessions will expire after the defined time period. This behavior also known as an "absolute timeout". If
this is _not_ set, user sessions could stay active indefinitely. This and `xpack.security.session.idleTimeout` are both highly
recommended. By default, this setting is not set.
Expand Down

0 comments on commit c171a6f

Please sign in to comment.