Review UX and text of the authentication related screens

[azasypkin]

There are number of authentication screens we have in Kibana that are rarely seen by our users and hence we don't touch them very often too. But I believe it makes sense to periodically review them with the Design and Docs Teams to make sure the texts are still relevant and UX is consistent.

Edit 2022-02-01: Add screenshot tests for visuals
Edit 2022-11-14: @watson to include one more screen when CSP isn't supported by the user's browser ✅
Edit 2022-11-15: Added screenshot with message for unsupported browser

Fail states of the Login Form/Selector

• When administrators mistakenly or not configured Kibana in a way that it doesn't allow any authentication mechanisms:

• When administrators configured Kibana to use Secure cookies, but didn't configure Kibana to use TLS (a strict requirement in this case):

• When Elasticsearch isn't available

• When Elasticsearch is available, but we cannot retrieve current license for some reason

• Unexpected error during login page rendering (it should never happen in theory, if it happens it's most likely a bug in our code or some weird network glitch)

Logout related messages

• When user hits logout button and Login Selector/Form is enabled (the most common use case these days)

• When user hits logout button and Login Selector/Form is NOT enabled. I thought maybe it'd make sense to unify wording in this case with the case above? The only problem is that the font is larger on this screen and the message will be split into multiple lines unless we change styles.

• When Kibana forces user to log out because of expired session and Login Selector/Form is enabled

• When Kibana forces user to log out because of expired session and Login Selector/Form is NOT enabled. It looks exactly the same as the case when user decides to log out on their own. Would probably make sense to change the wording here as well, but again the current font size may be a problem. I'm explicitly calling out the font size since this page/component is re-used in other cases (access agreement and overwritten session screen described below) that will be affected if we change the font size.

Other messages

• When user happens to automatically re-login when they already had an active session as a different user (quite rare case, but it happens)

• If the users browser doesn't support CSP, this message will be displayed. An easy to to reproduce this is to remove the CSP header from the response and launch Kibana

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[azasypkin]

@elastic/kibana-docs @elastic/kibana-core-ui-designers could you please review these screens and texts and let me know if you think we should change/improve anything?

I also left a couple of questions regarding unification of "logout" messages for the case with and without Login Selector.

Thanks!

[ryankeairns]

Thanks for putting this together @azasypkin , so many variations that I've not seen before!

Two quick takes:

• the copy/text feels like the area of most need
• while I understand the reason for changing the 'Welcome to Elastic' title, we should avoid using that for system messages

As we work through the copy, we can also explore where best to put the system messages. A subtitle, for example, would be a preferable solution, and I'm certain we can come up with some other title message that does not welcome people to the log out screen 😆

[azasypkin]

As we work through the copy, we can also explore where best to put the system messages. A subtitle, for example, would be a preferable solution, and I'm certain we can come up with some other title message that does not welcome people to the log out screen laughing

Thanks for the feedback! And I agree with everything you've just posted 🙂

[gchaps]

I'll take a look at the copy and post my comments here.

[gchaps]

Login error messages

Instead of "Welcome to Elastic" how about using the logo alone or the logo + elastic (as on the website)

Kibana not configured

Login is disabled (no ending period)
Contact your system administrator.

Secure connection (ok as is)

A secure connection is required for log in
Contact your system administrator.

Elasticsearch isn't available

Cannot connect to the Elasticsearch cluster
Try reloading the page. See the Kibana logs for details.

Can't retrieve the current license

Cannot connect to the Elasticsearch cluster currently configure for Kibana
To use the full set of free features in this distribution, please update Elasticsearch to the default distribution.

@alexfrancoeur How should we word the text regarding licensing?

Problem rendering login screen

Cannot render login page
Try reloading the page. See the Kibana logs for details.

Logout error messages

Selector form enabled

One of the following:

You have logged out.
You have logged out of Elastic
You have logged out. Log in again at any time.

Selector form NOT enabled

Whatever you decide above

Session time out with form enabled (ok as is)

Your session has timed out. Please log in again.

Session time out when form is NOT enabled

Your session has timed out. Please log in again.

Previously logged in as different user 1
This one is a confusing. Will the previous log in always be elastic? Can we give users the choice to log in as a different user?

You previously logged in as elastic.

Continue as elastic | Log in as a different user

Previously logged in as different user 2

Should we also consider this one screen as part of this PR?

Suggested text:

You don't have permission to access this page

Go back to the previous page or log in as a different user.

Question: why login in as a different user and not contact your administrator to request access?

[azasypkin]

This one is a confusing. Will the previous log in always be elastic? Can we give users the choice to log in as a different user?

Yeah, sorry for not being clear on this one. This screen is shown when user already automatically re-logged in as a different user. In this case user re-logged in as elastic, but it can be any username. Here we just notify user after the fact (we don't offer Log in as a different user here since it may not be possible in a number of scenarios, so we took the easiest route) .

Should we also consider this one screen as part of this PR?

Yeah, sure! It was recently added/reviewed that's why I skipped it initially, but happy to make any adjustments to this one too.

[alexfrancoeur]

@alexfrancoeur How should we word the text regarding licensing?

@gchaps thanks for the tag and @azasypkin thanks for the detailed breakdown of each scenario. I agree, it's useful to periodically review the content in these error messages.

Here's what's currently presented.

Cannot connect to the Elasticsearch cluster currently configured for Kibana
To use the full set of free features in this distribution, please update Elasticsearch to the default distribution.

@azasypkin can you confirm two quick things. Does this error only occur when there is a license mismatch? And if so, does it only occur with OSS and Basic? Or can this occur with Basic and Gold+ as well?

Here are some quick suggestions. What do you think @gchaps? Is there any way we can reduce the text in the below suggestions?

If this error is only shown when there is a license mismatch and the license tier doesn't matter

Cannot connect to the Elasticsearch cluster currently configured for Kibana
The Elasticsearch cluster license does not match the license for Kibana, contact your system administrator

Alternatively

The Elasticsearch cluster license does not match the license for Kibana
Contact your system administrator

If the error is only shown when there is a license mismatch and this only occurs with an OSS ES cluster and a Basic+ Kibana

Cannot connect to the Elasticsearch cluster currently configured for Kibana
The Elasticsearch cluster license does not match the license for Kibana, contact your system administrator to take advantage of the full set of free features from Elastic

Alternatively

The Elasticsearch cluster license does not match the license for Kibana
Contact your system administrator to take advantage of the full set of free features from Elastic

[gchaps]

I like the alternate version that @alexfrancoeur suggested because the title is more descriptive. Is the word "cluster" necessary after Elasticsearch? Instead can it be:

The Elasticsearch license does not match the Kibana license
Contact your system administrator.

The Elasticsearch license does not match the Kibana license
Contact your system administrator for the full set of free features from Elastic.

[azasypkin]

@azasypkin can you confirm two quick things. Does this error only occur when there is a license mismatch? And if so, does it only occur with OSS and Basic? Or can this occur with Basic and Gold+ as well?

As far as I can tell it's for the case when default distribution of Kibana tries to connect to the OSS ES and hence cannot get any license information. But I've just checked this scenario and I see that on 7.x/master Kibana doesn't start at all in this case. @kobelb do you know if we still need to support this setup somehow?

[kobelb]

As far as I can tell it's for the case when default distribution of Kibana tries to connect to the OSS ES and hence cannot get any license information.

👍 I quickly checked version 7.4, and this is what happens on that version. I'm not sure which version this stopped working in, though.

But I've just checked this scenario and I see that on 7.x/master Kibana doesn't start at all in this case. @kobelb do you know if we still need to support this setup somehow?

I think we have some wiggle room here; however, I don't think the current behavior is acceptable. At a minimum, I think we should make it explicit to the user that this is the reason why Kibana is essentially inoperable. In 7.10, Kibana is crashing on startup without clearly stating why it failed to start-up. The behavior in 7.10 is likely to confuse our users and not help them remedy the situation. If we were to crash on start-up with an explicit error message, I think that'd be fine.