Skip to content

feat(security,uiam): support both ES native and UIAM session tokens when in UIAM mode #245063

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(security,uiam): support both ES native and UIAM session tokens when in UIAM mode #245063

wants to merge 1 commit into from
+282 −54

Conversation

@azasypkin
Copy link
Member

@azasypkin azasypkin commented Dec 3, 2025

Summary

During the transitional period and staged rollout, Kibana needs to be able to handle sessions using either UIAM or ES native access and refresh tokens, even when UIAM mode is enabled in Kibana. To achieve this, in addition to checking the UIAM configuration, Kibana also checks whether the access token returned by the Elasticsearch SAML realm starts with the well-known UIAM token prefix: essu_.

How to test

UIAM mode with UIAM tokens

Start both ES and Kibana in UIAM mode and check if you can log in.

$ yarn es serverless --projectType security --uiam
$ yarn start --serverless=security --uiam

UIAM mode with ES native tokens

Start only Kibana in UIAM mode and check if you can log in.

$ yarn es serverless --projectType security
$ yarn start --serverless=security --uiam

/cc @slobodanadamovic

@azasypkin azasypkin self-assigned this Dec 3, 2025
@azasypkin azasypkin added Team:Security Platform Security: Auth, Users, Roles, Spaces, Audit Logging, etc t// release_note:skip Skip the PR/issue when compiling release notes backport:skip This PR does not require backporting labels Dec 3, 2025
@azasypkin azasypkin force-pushed the issue-xxx-uiam-saml-both-native-and-uiam-tokens branch from 2beb71a to 5d080c1 Compare December 3, 2025 14:59
@elasticmachine
Copy link
Contributor

elasticmachine commented Dec 3, 2025

💛 Build succeeded, but was flaky

Failed CI Steps

Metrics [docs]

✅ unchanged

History

cc @azasypkin

@azasypkin azasypkin marked this pull request as ready for review December 3, 2025 18:21
@azasypkin azasypkin requested a review from a team as a code owner December 3, 2025 18:21
@elasticmachine
Copy link
Contributor

elasticmachine commented Dec 3, 2025

Pinging @elastic/kibana-security (Team:Security)

@kc13greiner kc13greiner self-requested a review December 3, 2025 18:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kc13greiner kc13greiner Awaiting requested review from kc13greiner

At least 1 approving review is required to merge this pull request.

Assignees

@azasypkin azasypkin

Labels

backport:skip This PR does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Security Platform Security: Auth, Users, Roles, Spaces, Audit Logging, etc t//

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@azasypkin @elasticmachine