Support Azure Active Directory

[elasticmachine]

Original comment by @joshbressers:

We see requests to support AAD. I suspect we'll need to add this to x-pack as my understanding is they aren't doing OAuth in a generic manner.

[elasticmachine]

Original comment by @jaymode:

This should be a pretty straightforward realm to add (outside of testing). Microsoft provides a java library for Azure AD https://github.com/AzureAD/azure-activedirectory-library-for-java

[elasticmachine]

Original comment by @tvernum:

I believe AAD supports SAML.

[elasticmachine]

Original comment by @tvernum:

The SAML Realm supports AAD, but SAML to on-prem apps is a platinum feature for AAD so we may get requests for integration at the "basic" AAD level.

[DaveB93]

To clarify is this for the azure plugin for snapshots? or is for a different azure plugin ? I want to file an issue for the Azure snapshot plugin to support Managed Service Identities ( see https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/tutorial-linux-vm-access-storage-access-key ) but don't want to create a duplicate issue. ( note: in that tutorial it has you hard code the subscription ID and Resource group, but those can be fetched from instance metadata https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service )

[rhysjtevans]

Even supporting Azure Active Directory Service Principals would be an addition.

[rhysjtevans]

Any movement on this?

[tvernum]

No, we support AzureAD via SAML for authentication to Kibana/Elasticsearch and have no immediate plans to do anything more in the authentication space.

But from what you've written, I don't think you're looking for additional authentication options - I assume you're after support for service principals in for the Azure Snapshot repository. If so, this isn't the issue for that.

[nerophon]

@tvernum not having AzureAD integrated in such as way as to permit use of the "run-as" feature in ES is a potential blocker for one of my users