Skip to content

Add note in breaking changes for nameid_format #77785

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Oct 19, 2021
Merged

Add note in breaking changes for nameid_format #77785

Changes from 4 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a4a2a09
Add note in breaking changes for nameid_format
jkakavas Sep 15, 2021
345008d
remove reference to settings
jkakavas Sep 15, 2021
82e2a87
Fix docs build
jrodewig Sep 15, 2021
306a786
Accepting most of James' suggested changes
Sep 15, 2021
50ca91a
Incorporating changes from Ioannis
Sep 15, 2021
f8bffd5
Apply suggestions from code review
jkakavas Sep 16, 2021
88c7f75
Apply suggestions from code review
Oct 19, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 35 additions & 3 deletions docs/reference/migration/migrate_8_0/security.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -234,7 +234,7 @@ on startup.

[discrete]
[[ssl-misc-changes]]
===== Other SSL/TLS changes
===== Other SSL/TLS changes

.PKCS#11 keystores and trustores cannot be configured in `elasticsearch.yml`
[%collapsible]
Expand All @@ -254,7 +254,7 @@ Use of a PKCS#11 keystore or truststore as the JRE's default store is not affect

*Impact* +
If you have a PKCS#11 keystore configured within your `elasticsearch.yml` file, you must remove that
configuration and switch to a supported keystore type, or configure your PKCS#11 keystore as the
configuration and switch to a supported keystore type, or configure your PKCS#11 keystore as the
JRE default store.
====

Expand Down Expand Up @@ -306,6 +306,38 @@ renamed to better reflect its intended use.
*Impact* +
Assign users with the `kibana_user` role to the `kibana_admin` role.
Discontinue use of the `kibana_user` role.
====

[discrete]
[[saml-realm-nameid-changes]]
===== The default value of `nameid_format` setting has been removed.

Copy link
Contributor

@jrodewig jrodewig Sep 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd remove this heading (keep the anchor) and relocate these changes just below the section for The transport.profiles.*.xpack.security.type setting has been removed.

Suggested change
===== The default value of `nameid_format` setting has been removed.

Copy link
Contributor

@lockewritesdocs lockewritesdocs Sep 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed! I'll implement that change.

.The `nameid_format` SAML realm setting has no default value.
[%collapsible]
====
*Details* +
In SAML, Identity Providers (IdPs) either release a `NameID` or attempt to
conform with the requirements of a Service Provider (SP). The SP declares its
requirements in the `NameIDPolicy` of an authentication request. In {es}, the
`nameid_format` SAML realm setting controls the `NameIDPolicy`.
Copy link
Contributor Author

@jkakavas jkakavas Sep 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
In SAML, Identity Providers (IdPs) either release a `NameID` or attempt to
conform with the requirements of a Service Provider (SP). The SP declares its
requirements in the `NameIDPolicy` of an authentication request. In {es}, the
`nameid_format` SAML realm setting controls the `NameIDPolicy`.
In SAML, Identity Providers (IdPs) can be either statically configured to release a `NameID`
with a specific format, or configured to try to conform with the requirements of Service Provider (SP)
The SP declares its requirements in the `NameIDPolicy` element of a SAML Authentication Request.
In {es}, the `nameid_format` SAML realm setting controls the `NameIDPolicy` value.


Previously, the default value for `nameid_format` was
`urn:oasis:names:tc:SAML:2.0:nameid-format:transient`. This default created
authentication requests that would require the IdP to release `NameID` with a
transient format.
The default value has now been removed. This means that {es} will be default
Copy link
Contributor Author

@jkakavas jkakavas Sep 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The default value has now been removed. This means that {es} will be default
The default value has now been removed. This means that {es} will by default

create SAML Authentication Requests that do not put forward such requirements
to the Identity Provider.

If you want to retain the previous behavior, you can set `nameid_format`
to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`.
Copy link
Contributor

@jrodewig jrodewig Sep 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if we can remove the second sentence.

Suggested change
The default value has now been removed. This means that {es} will be default
create SAML Authentication Requests that do not put forward such requirements
to the Identity Provider.
If you want to retain the previous behavior, you can set `nameid_format`
to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`.
This default has been removed. To retain the previous default behavior, set
`nameid_format` to `urn:oasis:names:tc:SAML:2.0:nameid-format:transient`.

Copy link
Contributor Author

@jkakavas jkakavas Sep 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it makes sense to remove this. This is the essence of what changes and what this change means.


*Impact* +
To avoid issues, explicitly configure `nameid_format`. If you don't configure
Copy link
Contributor Author

@jkakavas jkakavas Sep 15, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not what I am trying to say. If we instruct everyone to set this value, we might as well leave the default in place. What I am trying to say is that "this should probably be ok, but if you know you want the old behavior or you don't know how your IDP is configured but it was working so far and you don't care to try, set this setting to this value explicitly"

`nameid_format`, some SAML setups may no longer work. If you don't know
how your IdP generates a value for `NameID`, explicitly set `nameid_format` to
`urn:oasis:names:tc:SAML:2.0:nameid-format:transient`.

====
// end::notable-breaking-changes[]

Expand All @@ -320,7 +352,7 @@ Discontinue use of the `kibana_user` role.
[%collapsible]
====
*Details* +
If `xpack.security.fips_mode.enabled` is true (see <<fips-140-compliance>>),
If `xpack.security.fips_mode.enabled` is true (see <<fips-140-compliance>>),
the value of `xpack.security.authc.password_hashing.algorithm` now defaults to
`pbkdf2_stretch`.

Expand Down