feat(security,uiam): support both ES native and UIAM session tokens when in UIAM mode#245063
Merged
azasypkin merged 3 commits intoelastic:mainfrom Dec 5, 2025
Conversation
2beb71a to
5d080c1
Compare
Contributor
|
Pinging @elastic/kibana-security (Team:Security) |
5d080c1 to
e8c40af
Compare
Contributor
💛 Build succeeded, but was flaky
Failed CI StepsTest Failures
Metrics [docs]
History
cc @azasypkin |
kc13greiner
approved these changes
Dec 4, 2025
| * transition period while we support both SAML and UIAM tokens at the same time. | ||
| * @param token ES native or UIAM access or refresh token. | ||
| */ | ||
| private isUiamToken(token?: string): this is { options: { uiam: UiamServicePublic } } { |
Contributor
Author
There was a problem hiding this comment.
Yeah, it might be handy, although I wanted TypeScript to also force token!, but it can only deal with either the type of the arguments or this, not both.
Contributor
There was a problem hiding this comment.
This comment was a TIL/amazed, I've never seen this before; very cool!
x-pack/platform/plugins/shared/security/server/authentication/providers/saml.ts
Outdated
Show resolved
Hide resolved
wildemat
pushed a commit
to wildemat/kibana
that referenced
this pull request
Dec 5, 2025
…hen in UIAM mode (elastic#245063) ## Summary During the transitional period and staged rollout, Kibana needs to be able to handle sessions using **either** UIAM or ES native access and refresh tokens, even when UIAM mode is enabled in Kibana. To achieve this, in addition to checking the UIAM configuration, Kibana also checks whether the access token returned by the Elasticsearch SAML realm starts with the well-known UIAM token prefix: `essu_`. ## How to test ### UIAM mode with UIAM tokens Start both ES and Kibana in UIAM mode and check if you can log in. ```bash $ yarn es serverless --projectType security --uiam $ yarn start --serverless=security --uiam ``` ### UIAM mode with ES native tokens Start only Kibana in UIAM mode and check if you can log in. ```bash $ yarn es serverless --projectType security $ yarn start --serverless=security --uiam ``` /cc @slobodanadamovic
This was referenced Dec 5, 2025
JordanSh
pushed a commit
to JordanSh/kibana
that referenced
this pull request
Dec 9, 2025
…hen in UIAM mode (elastic#245063) ## Summary During the transitional period and staged rollout, Kibana needs to be able to handle sessions using **either** UIAM or ES native access and refresh tokens, even when UIAM mode is enabled in Kibana. To achieve this, in addition to checking the UIAM configuration, Kibana also checks whether the access token returned by the Elasticsearch SAML realm starts with the well-known UIAM token prefix: `essu_`. ## How to test ### UIAM mode with UIAM tokens Start both ES and Kibana in UIAM mode and check if you can log in. ```bash $ yarn es serverless --projectType security --uiam $ yarn start --serverless=security --uiam ``` ### UIAM mode with ES native tokens Start only Kibana in UIAM mode and check if you can log in. ```bash $ yarn es serverless --projectType security $ yarn start --serverless=security --uiam ``` /cc @slobodanadamovic
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
During the transitional period and staged rollout, Kibana needs to be able to handle sessions using either UIAM or ES native access and refresh tokens, even when UIAM mode is enabled in Kibana. To achieve this, in addition to checking the UIAM configuration, Kibana also checks whether the access token returned by the Elasticsearch SAML realm starts with the well-known UIAM token prefix:
essu_.How to test
UIAM mode with UIAM tokens
Start both ES and Kibana in UIAM mode and check if you can log in.
UIAM mode with ES native tokens
Start only Kibana in UIAM mode and check if you can log in.
/cc @slobodanadamovic