Skip to content

Add origin configuration to authc providers #239993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Nov 6, 2025
Merged

Add origin configuration to authc providers #239993

merged 14 commits into from
Nov 6, 2025

Conversation

@rgodfrey-elastic
Copy link
Contributor

@rgodfrey-elastic rgodfrey-elastic commented Oct 21, 2025
edited
Loading

Closes 109525

Summary

  • Added origin configuration to authc providers.
  • Changed login form to hide providers based on the origin configuration and the current browser window origin.
  • Filtered providers on the back end based on the origin header and the configured provider origin properties.
  • Origin configuration is optional and can be one value or an array of values.
  • All values provided in the origin config must be a valid URI
  • An error is displayed in the UI if there are no valid auth providers for the domain

Example 1

xpack.security.authc.providers:
  basic.basic1:
    order: 0
    origin: [http://127.0.0.1:5601, http://localhost:5601, https://elastic.com]
  saml.saml1:
    order: 1
    realm: saml1
    origin: http://127.0.0.1:5601
  saml.saml2:
    order: 2
    realm: saml2
    origin: http://localhost:5601
  saml.saml3:
    order: 3
    realm: saml3
    origin: [http://127.0.0.1:5601, http://localhost:5601, https://elastic.com]
  saml.saml4:
    order: 4
    realm: saml4
image image

Example 2

xpack.security.authc.providers:
  basic.basic1:
    order: 0
    origin: [http://127.0.0.1:5601, https://elastic.com]
  saml.saml1:
    order: 1
    realm: saml1
    origin: https://elastic.com
image

Release Notes

Adds the ability to specify the origin(s) where an authentication provider will appear to users in the Login Selector UI.

@rgodfrey-elastic rgodfrey-elastic self-assigned this Oct 21, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Oct 21, 2025
edited
Loading

🔍 Preview links for changed docs

@rgodfrey-elastic
Added origin configuration to authc providers. Changed login form to …
5533b5a 
…filter available providers based on the origin configuration and the current browser window origin. Also filtered available providers based on the origin header and the configured provider origin properties

# Conflicts:
#	x-pack/platform/plugins/shared/security/server/authentication/authenticator.ts
@rgodfrey-elastic
Updated security settings for new origin setting and updated login pa…
feff385 
…ge message to use translate function
@rgodfrey-elastic
added tests for origin config changes
34bb5d3
@rgodfrey-elastic rgodfrey-elastic force-pushed the feature/add-origin-config-to-authc-providers branch from 37fa181 to 34bb5d3 Compare October 24, 2025 19:40
@rgodfrey-elastic rgodfrey-elastic added enhancement New value added to drive a business result release_note:enhancement Team:Security Platform Security: Auth, Users, Roles, Spaces, Audit Logging, etc t// labels Oct 24, 2025
@rgodfrey-elastic rgodfrey-elastic linked an issue Oct 24, 2025 that may be closed by this pull request
Limit authentication providers based on hostname #109525
Closed
@rgodfrey-elastic rgodfrey-elastic added Feature:Security/Authentication Platform Security - Authentication backport:skip This PR does not require backporting labels Oct 24, 2025
@rgodfrey-elastic rgodfrey-elastic marked this pull request as ready for review October 28, 2025 12:29
@rgodfrey-elastic rgodfrey-elastic requested review from a team as code owners October 28, 2025 12:29
@elasticmachine
Copy link
Contributor

elasticmachine commented Oct 28, 2025

Pinging @elastic/kibana-security (Team:Security)

florent-leborgne
florent-leborgne reviewed Oct 28, 2025
View reviewed changes
@legrego legrego requested a review from azasypkin October 29, 2025 10:58
@azasypkin
Copy link
Member

azasypkin commented Oct 30, 2025

ACK: will review later today or tomorrow, sorry for the delay!

azasypkin
azasypkin reviewed Oct 31, 2025
View reviewed changes
Copy link
Member

@azasypkin azasypkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job! I've left just a few questions and nits.

@rgodfrey-elastic
Copy link
Contributor Author

rgodfrey-elastic commented Nov 4, 2025

@elasticmachine merge upstream

@azasypkin azasypkin self-requested a review November 5, 2025 14:35
azasypkin
azasypkin approved these changes Nov 5, 2025
View reviewed changes
Copy link
Member

@azasypkin azasypkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, tested locally - everything works as expected, thanks! Would you also mind updating the Release Notes section in the issue description to better align with your updates in the doc (these are being used to compile release notes for every release)?

@rgodfrey-elastic rgodfrey-elastic mentioned this pull request Nov 5, 2025
Merged
@rgodfrey-elastic
Copy link
Contributor Author

rgodfrey-elastic commented Nov 5, 2025

@elasticmachine merge upstream

@elasticmachine
Copy link
Contributor

elasticmachine commented Nov 5, 2025

💚 Build Succeeded

Metrics [docs]

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id before after diff
security 486.5KB 487.1KB +638.0B

History

cc @rgodfrey-elastic

florent-leborgne
florent-leborgne approved these changes Nov 6, 2025
View reviewed changes
Copy link
Contributor

@florent-leborgne florent-leborgne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docs LGTM, thanks!

@rgodfrey-elastic rgodfrey-elastic merged commit f7a755a into elastic:main Nov 6, 2025
12 checks passed
@rgodfrey-elastic rgodfrey-elastic deleted the feature/add-origin-config-to-authc-providers branch November 6, 2025 13:35
wildemat pushed a commit to wildemat/kibana that referenced this pull request Nov 6, 2025
@rgodfrey-elastic @kibanamachine
@florent-leborgne @elasticmachine @wildemat
Add origin configuration to authc providers (elastic#239993)
8e36e9f 
Closes [109525](elastic#109525)

## Summary
- Added origin configuration to authc providers.
- Changed login form to hide providers based on the origin configuration
and the current browser window origin.
- Filtered providers on the back end based on the origin header and the
configured provider origin properties.
- Origin configuration is optional and can be one value or an array of
values.
- All values provided in the origin config must be a valid URI
- An error is displayed in the UI if there are no valid auth providers
for the domain

### Example 1
```
xpack.security.authc.providers:
  basic.basic1:
    order: 0
    origin: [http://127.0.0.1:5601, http://localhost:5601, https://elastic.com]
  saml.saml1:
    order: 1
    realm: saml1
    origin: http://127.0.0.1:5601
  saml.saml2:
    order: 2
    realm: saml2
    origin: http://localhost:5601
  saml.saml3:
    order: 3
    realm: saml3
    origin: [http://127.0.0.1:5601, http://localhost:5601, https://elastic.com]
  saml.saml4:
    order: 4
    realm: saml4
```

<img width="735" height="585" alt="image"
src="https://github.com/user-attachments/assets/d691f692-6470-4d59-aba1-bc598b4b49a2"
/>


<img width="725" height="597" alt="image"
src="https://github.com/user-attachments/assets/28a61462-ef00-484f-b2c9-1816bc50fc54"
/>

### Example 2
```
xpack.security.authc.providers:
  basic.basic1:
    order: 0
    origin: [http://127.0.0.1:5601, https://elastic.com]
  saml.saml1:
    order: 1
    realm: saml1
    origin: https://elastic.com
```

<img width="772" height="443" alt="image"
src="https://github.com/user-attachments/assets/9c332a42-2a48-43ea-b4c5-0d9ab6660b6a"
/>

## Release Notes
Adds the ability to specify the origin(s) where an authentication
provider will appear to users in the Login Selector UI.

---------

Co-authored-by: kibanamachine <[email protected]>
Co-authored-by: florent-leborgne <[email protected]>
Co-authored-by: Elastic Machine <[email protected]>
rgodfrey-elastic added a commit to elastic/docs-content that referenced this pull request Nov 6, 2025
@rgodfrey-elastic
added note about origin setting for authentication providers (#3827)
79906b2 
## Summary

Added note about new `origin` setting available for authentication
providers added with elastic/kibana#239993
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@azasypkin azasypkin azasypkin approved these changes

@florent-leborgne florent-leborgne florent-leborgne approved these changes

Assignees

@rgodfrey-elastic rgodfrey-elastic

Labels

backport:skip This PR does not require backporting enhancement New value added to drive a business result Feature:Security/Authentication Platform Security - Authentication release_note:enhancement Team:Security Platform Security: Auth, Users, Roles, Spaces, Audit Logging, etc t// v9.3.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Limit authentication providers based on hostname

5 participants

@rgodfrey-elastic @elasticmachine @azasypkin @florent-leborgne @kibanamachine