Open legrego opened 3 years ago
Pinging @elastic/kibana-security (Team:Security)
Thanks for filing this one! I agree, this sounds like a valid use case that we should cover.
The behavior we have today is intentional (I believe we even have tests for this), but we didn't consider multiple Kibana iframes in the same page at that time. The assumption was that users could end up in situation like that only when they open Kibana in multiple tabs and initiate SAML/OIDC login in all of them. Failing in such case is reasonable, but not for multiple iframes.
@azasypkin @legrego @jportner Any update? Customer asking if we are considering this on a future release.
@azasypkin @legrego @jportner Any update? Customer asking if we are considering this on a future release.
Unfortunately, there are no updates yet. I've just added this to the discussion agenda for our sync next week. I'll comment here once I have more details.
Quick update here: we included the task to investigate possible solutions for this issue in our "Next Sprints" backlog. We'll comment here once someone picks it up.
any insight would be appreciated @azasypkin @legrego @jportner
any insight would be appreciated @azasypkin @legrego @jportner
We haven't been able to address this yet due to some PTO on our team and a couple of high priority items that came in, but this is still in our "Next sprint" bucket.
Some of our SSO auth providers require creating an "unauthenticated session" within the
sid
cookie in order to complete the handshake.When multiple Kibana frames are embedded within a single page (each using the same
saml
provider for example), they end up competing for this singlesid
cookie, thereby clobbering each other's session state. This results in failed authentication attempts.It should be possible to embed multiple instances of Kibana within a single page, regardless of the authentication mechanism used (e.g.
basic
,token
,saml
,oidc
, etc.).