Document new xpack.security.authc.* settings and related 8.0.0 breaking changes. (#61443)

azasypkin · web-flow · commit 534155f6fc77 · 2020-04-01T16:15:03.000+02:00
diff --git a/docs/migration/migrate_8_0.asciidoc b/docs/migration/migrate_8_0.asciidoc
@@ -61,24 +61,53 @@ for example, `logstash-*`.
 *Impact:* Use `xpack.security.authc.providers` instead.
 
 [float]
-==== `xpack.security.authc.saml.realm` is now mandatory when using the SAML authentication provider
-*Details:* Previously Kibana was choosing the appropriate Elasticsearch SAML realm automatically using the `Assertion Consumer Service`
-URL that it derived from the actual server address. Starting in 8.0.0, the Elasticsearch SAML realm name that Kibana will use should be
-specified explicitly.
+==== `xpack.security.authc.providers` has changed value format
+*Details:* `xpack.security.authc.providers` setting in the `kibana.yml` has changed value format.
 
-*Impact:* Always define `xpack.security.authc.saml.realm` when using the SAML authentication provider.
+*Impact:* Array of provider types as a value is no longer supported, use extended object format instead.
+
+[float]
+==== `xpack.security.authc.saml` is no longer valid
+*Details:* The deprecated `xpack.security.authc.saml` setting in the `kibana.yml` file has been removed.
+
+*Impact:* Configure SAML authentication providers using `xpack.security.authc.providers.saml.{provider unique name}.*` settings instead.
+
+[float]
+==== `xpack.security.authc.oidc` is no longer valid
+*Details:* The deprecated `xpack.security.authc.oidc` setting in the `kibana.yml` file has been removed.
+
+*Impact:* Configure OpenID Connect authentication providers using `xpack.security.authc.providers.oidc.{provider unique name}.*` settings instead.
 
 [float]
 ==== `xpack.security.public` is no longer valid
-*Details:* The deprecated `xpack.security.public` setting in the `kibana.yml` file has been removed.
+*Details:* Previously Kibana was choosing the appropriate Elasticsearch SAML realm automatically using the `Assertion Consumer Service`
+URL that it derived from the actual server address and `xpack.security.public` setting. Starting in 8.0.0, the deprecated `xpack.security.public` setting in the `kibana.yml` file has been removed and the Elasticsearch SAML realm name that Kibana will use should be specified explicitly.
 
-*Impact:* Define `xpack.security.authc.saml.realm` when using the SAML authentication provider instead.
+*Impact:* Define `xpack.security.authc.providers.saml.{provider unique name}.realm` when using the SAML authentication providers instead.
 
 [float]
 ==== `/api/security/v1/saml` endpoint is no longer supported
 *Details:* The deprecated `/api/security/v1/saml` endpoint is no longer supported.
 
-*Impact:* Rely on `/api/security/saml/callback` endpoint when using SAML instead. This change should be reflected in Kibana `server.xsrf.whitelist` config as well as in Elasticsearch and Identity Provider SAML settings.
+*Impact:* Rely on `/api/security/saml/callback` endpoint when using SAML instead. This change should be reflected in Elasticsearch and Identity Provider SAML settings.
+
+[float]
+==== `/api/security/v1/oidc` endpoint is no longer supported
+*Details:* The deprecated `/api/security/v1/oidc` endpoint is no longer supported.
+
+*Impact:* Rely on `/api/security/oidc/callback` endpoint when using OpenID Connect instead. This change should be reflected in Elasticsearch and OpenID Connect Provider settings.
+
+[float]
+==== `/api/security/v1/oidc` endpoint is no longer supported for Third Party initiated login
+*Details:* The deprecated `/api/security/v1/oidc` endpoint is no longer supported for Third Party initiated login.
+
+*Impact:* Rely on `/api/security/oidc/initiate_login` endpoint when using Third Party initiated OpenID Connect login instead. This change should be reflected in Elasticsearch and OpenID Connect Provider settings.
+
+[float]
+==== `/api/security/v1/oidc/implicit` endpoint is no longer supported
+*Details:* The deprecated `/api/security/v1/oidc/implicit` endpoint is no longer supported.
+
+*Impact:* Rely on `/api/security/oidc/implicit` endpoint when using OpenID Connect Implicit Flow instead. This change should be reflected in OpenID Connect Provider settings.
 
 [float]
 === `optimize` directory is now in the `data` folder
diff --git a/docs/setup/settings.asciidoc b/docs/setup/settings.asciidoc
@@ -410,9 +410,7 @@ all http requests to https over the port configured as `server.port`.
 supported protocols with versions. Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`
 
 `server.xsrf.whitelist:`:: It is not recommended to disable protections for
-arbitrary API endpoints. Instead, supply the `kbn-xsrf` header. There are some
-scenarios where whitelisting is required, however, such as
-<<kibana-authentication, SAML and OpenID Connect Single Sign-On setups>>.
+arbitrary API endpoints. Instead, supply the `kbn-xsrf` header.
 The `server.xsrf.whitelist` setting requires the following format:
 
 [source,text]
diff --git a/docs/user/security/authentication/index.asciidoc b/docs/user/security/authentication/index.asciidoc
