Feature request: SSO for ElasticSearch with GitHub OAuth application

[plaformsre]

Background Our team consists of nearly 400 developers who use GitHub Enterprise on a daily basis. We have over 20 ElasticSearch & Kibana deployments, all at the service for developers. We want the users to stop creating native realm users, incl. the default elastic administrative user (not compliant with our company policies.

It is very expensive (process and maintenance) to integrate ElasticSearch with SAML 2.0 or OAuth 2.0 (e.g. Azure AD/PingID) because the onboarding takes months to comply with all the rules and renew secrets every 3-6 months. We expect the number of Kibana's and ElasticSearch to multiply (to 60-80 this year), centralising Kibana does not offer all functionality developers need (e.g. machine learning, beats, uptime, etc.).

Feature request

• enable ElasticSearch & Kibana authentication for users to allow GitHub OAuth application registration that works with the Authorization callback URL & storing a client secret e31105b57df1f77bad57b55af88da126976dc242

Related documentation:

• GitHub Authorizing OAuth Apps

[elasticmachine]

Pinging @elastic/es-security (Team:Security)

[jkakavas]

Unfortunately Github's implementation doesn't conform to OpenId Connect, but is rather a custom authentication protocol on top of oAuth2 that is quite similar but not exactly OpenID Connect . As such, SSO using our OpenID Connect realm is not achievable and we'd need to implement, maintain and support a custom solution to fit this use case.

cc @bytebilly

[bytebilly]

Thanks for the proposal @mapdegree.

I agree with Ioannis, and even if I see the potential benefit of this feature it's unlikely to be on our roadmap anytime soon because of the many features we are working on. Could you share more on the onboarding problems you got by using a centralized SSO solution?

We can keep this issue open and see if it will get traction from other users.