External authentication

ECE ECK Elastic Cloud Hosted Self Managed

External authentication in Elastic is any form of authentication that requires interaction with parties and components external to Elasticsearch, typically with enterprise grade identity management systems.

Elastic offers several external realm types, each of which represents a common authentication provider. You can have as many external realms as you would like, each with its own unique name and configuration.

If the authentication provider that you want to use is not currently supported, then you can create a your own custom realm plugin to integrate with additional systems.

In this section, you'll learn how to configure different types of external realms, and use them to grant access to Elastic resources.

Tip

For many external realms, you need to perform extra steps to use the realm to log in to Kibana. Learn more.

Available external realms

Elasticsearch provides the following built-in external realms:

ldap: Uses an external LDAP server to authenticate the users. This realm supports an authentication token in the form of username and password, and requires explicit configuration in order to be used. See LDAP user authentication.
active_directory: Uses an external Active Directory Server to authenticate the users. With this realm, users are authenticated by usernames and passwords. See Active Directory user authentication.
pki: Authenticates users using Public Key Infrastructure (PKI). This realm works in conjunction with SSL/TLS and identifies the users through the Distinguished Name (DN) of the client’s X.509 certificates. See PKI user authentication.
saml: Facilitates authentication using the SAML 2.0 Web SSO protocol. This realm is designed to support authentication through Kibana and is not intended for use in the REST API. See SAML authentication.
kerberos: Authenticates a user using Kerberos authentication. Users are authenticated on the basis of Kerberos tickets. See Kerberos authentication.
oidc: Facilitates authentication using OpenID Connect. It enables Elasticsearch to serve as an OpenID Connect Relying Party (RP) and provide single sign-on (SSO) support in Kibana. See Configuring single sign-on to the Elastic Stack using OpenID Connect.
jwt: Facilitates using JWT identity tokens as authentication bearer tokens. Compatible tokens are OpenID Connect ID Tokens, or custom JWTs containing the same claims. See JWT authentication.