Implement Server-Side sessions

.github/CODEOWNERS

@@ -174,6 +174,17 @@
 /x-pack/plugins/security/  @elastic/kibana-security
 /x-pack/plugins/security/**/*.scss @elastic/kibana-core-ui
 /x-pack/test/api_integration/apis/security/ @elastic/kibana-security
+/x-pack/test/encrypted_saved_objects_api_integration/ @elastic/kibana-security
+/x-pack/test/functional/apps/security/ @elastic/kibana-security
+/x-pack/test/kerberos_api_integration/ @elastic/kibana-security
+/x-pack/test/login_selector_api_integration/ @elastic/kibana-security
+/x-pack/test/oidc_api_integration/ @elastic/kibana-security
+/x-pack/test/pki_api_integration/ @elastic/kibana-security
+/x-pack/test/saml_api_integration/ @elastic/kibana-security
+/x-pack/test/security_api_integration/ @elastic/kibana-security
+/x-pack/test/security_functional/ @elastic/kibana-security
+/x-pack/test/spaces_api_integration/ @elastic/kibana-security
+/x-pack/test/token_api_integration/ @elastic/kibana-security
 
 # Kibana Localization
 /src/dev/i18n/  @elastic/kibana-localization

docs/settings/security-settings.asciidoc

@@ -125,8 +125,8 @@ In addition to <<authentication-provider-settings,the settings that are valid fo
 | SAML realm in {es} that provider should use.
 
 | `xpack.security.authc.providers.`
-`saml.<provider-name>.maxRedirectURLSize`
-| The maximum size of the URL that {kib} is allowed to store during the authentication SAML handshake. For more information, refer to <<security-saml-and-long-urls>>.
+`saml.<provider-name>.useRelayStateDeepLink`
+| Determines if provider should treat `RelayState` parameter as a deep link in {kib} during Identity Provider initiated login. By default, this setting is set to `false`. The link specified in `RelayState` should be a relative, URL-encoded {kib} URL, e.g. for `/app/dashboards#/list` link `RelayState` parameter would look like this `RelayState=%2Fapp%2Fdashboards%23%2Flist` for .
 
 |===
 
@@ -186,8 +186,7 @@ You can configure the following settings in the `kibana.yml` file.
   | Sets the name of the cookie used for the session. The default value is `"sid"`.
 
 | `xpack.security.encryptionKey`
-  | An arbitrary string of 32 characters or more that is used to encrypt credentials
-  in a cookie. It is crucial that this key is not exposed to users of {kib}. By
+  | An arbitrary string of 32 characters or more that is used to encrypt session information. It is crucial that this key is not exposed to users of {kib}. By
   default, a value is automatically generated in memory. If you use that default
   behavior, all sessions are invalidated when {kib} restarts.
   In addition, high-availability deployments of {kib} will behave unexpectedly
@@ -237,6 +236,20 @@ string of `<count>[ms|s|m|h|d|w|M|Y]` (e.g. '70ms', '5s', '3d', '1Y').
 [cols="2*<"]
 |===
 
+| `xpack.security.session.cleanupInterval`
+| Sets the interval at which {kib} tries to remove expired and invalid sessions from the session index. By default, this value is 1 hour. The minimum value is 10 seconds.
+
+|===
+
+[TIP]
+============
+The format is a
+string of `<count>[ms|s|m|h|d|w|M|Y]` (e.g. '20m', '24h', '7d', '1w').
+============
+
+[cols="2*<"]
+|===
+
 | `xpack.security.loginAssistanceMessage`
   | Adds a message to the login screen. Useful for displaying information about maintenance windows, links to corporate sign up pages etc.
 

docs/setup/production.asciidoc

@@ -132,7 +132,7 @@ server.port
 
 Settings that must be the same:
 --------
-xpack.security.encryptionKey //decrypting session cookies
+xpack.security.encryptionKey //decrypting session information
 xpack.reporting.encryptionKey //decrypting reports
 xpack.encryptedSavedObjects.encryptionKey // decrypting saved objects
 --------

docs/user/security/authentication/index.asciidoc

@@ -181,26 +181,6 @@ Basic authentication is supported _only_ if the `basic` authentication provider
 
 To support basic authentication for the applications like `curl` or when the `Authorization: Basic base64(username:password)` HTTP header is included in the request (for example, by reverse proxy), add `Basic` scheme to the list of supported schemes for the <<http-authentication,HTTP authentication>>.
 
-[float]
-[[security-saml-and-long-urls]]
-===== SAML and long URLs
-
-At the beginning of the SAML handshake, {kib} stores the initial URL in the session cookie, so it can redirect the user back to that URL after successful SAML authentication.
-If the URL is long, the session cookie might exceed the maximum size supported by the browser--typically 4KB for all cookies per domain. When this happens, the session cookie is truncated,
-or dropped completely, and you might experience sporadic failures during SAML authentication.
-
-To remedy this issue, you can decrease the maximum
-size of the URL that {kib} is allowed to store during the SAML handshake. The default value is 2KB.
-
-[source,yaml]
---------------------------------------------------------------------------------
-xpack.security.authc.providers:
-  saml.saml1:
-    order: 0
-    realm: saml1
-    maxRedirectURLSize: 1kb
---------------------------------------------------------------------------------
-
 [[oidc]]
 ==== OpenID Connect single sign-on
 

docs/user/security/securing-kibana.asciidoc

@@ -56,35 +56,7 @@ xpack.security.encryptionKey: "something_at_least_32_characters"
 For more information, see <<security-settings-kb,Security settings in {kib}>>.
 --
 
-. Optional: Set a timeout to expire idle sessions. By default, a session stays
-active until the browser is closed. To define a sliding session expiration, set
-the `xpack.security.session.idleTimeout` property in the `kibana.yml`
-configuration file. The idle timeout is formatted as a duration of
-`<count>[ms|s|m|h|d|w|M|Y]` (e.g. '70ms', '5s', '3d', '1Y'). For example, set
-the idle timeout to expire idle sessions after 10 minutes:
-+
---
-[source,yaml]
---------------------------------------------------------------------------------
-xpack.security.session.idleTimeout: "10m"
---------------------------------------------------------------------------------
---
-
-. Optional: Change the maximum session duration or "lifespan" -- also known as
-the "absolute timeout". By default, a session stays active until the browser is
-closed. If an idle timeout is defined, a session can still be extended
-indefinitely. To define a maximum session lifespan, set the
-`xpack.security.session.lifespan` property in the `kibana.yml` configuration
-file. The lifespan is formatted as a duration of `<count>[ms|s|m|h|d|w|M|Y]`
-(e.g. '70ms', '5s', '3d', '1Y'). For example, set the lifespan to expire
-sessions after 8 hours:
-+
---
-[source,yaml]
---------------------------------------------------------------------------------
-xpack.security.session.lifespan: "8h"
---------------------------------------------------------------------------------
---
+. Optional: <<xpack-security-session-management, Configure {kib} session settings>>.
 
 . Optional: <<configuring-tls,Configure {kib} to encrypt communications>>.
 
@@ -146,3 +118,4 @@ include::securing-communications/index.asciidoc[]
 include::securing-communications/elasticsearch-mutual-tls.asciidoc[]
 include::audit-logging.asciidoc[]
 include::access-agreement.asciidoc[]
+include::session-management.asciidoc[]

docs/user/security/session-management.asciidoc

@@ -0,0 +1,62 @@
+[role="xpack"]
+[[xpack-security-session-management]]
+=== Session management
+
+When you log in to {kib} it creates a session that is used to authenticate any subsequent request to {kib} made on your behalf. {kib} encrypts any sensitive session information and stores it in a dedicated hidden {es} index. By default, the name of that index is `.kibana_security_session_1` where the prefix depends on the name of the main `.kibana` index.
+
+Additionally, for every new session {kib} creates an encrypted client side cookie that is stored in your browser and sent to {kib} with every request. This way {kib} can associate request with the session information stored in the session index.
+
+When your session expires, or you log out of {kib} explicitly it will invalidate your cookie and remove session information from the index. In addition to that {kib} performs a regular session index cleanup to remove any expired sessions that weren't invalidated explicitly.
+
+[[session-idle-timeout]]
+==== Session idle timeout
+
+You can configure timeout to expire idle sessions. By default, a session stays
+active until the browser is closed. To define a sliding session expiration, set
+the `xpack.security.session.idleTimeout` property in the `kibana.yml`
+configuration file. The idle timeout is formatted as a duration of
+`<count>[ms|s|m|h|d|w|M|Y]` (e.g. '70ms', '5s', '3d', '1Y'). For example, set
+the idle timeout to expire idle sessions after 10 minutes:
+
+--
+[source,yaml]
+--------------------------------------------------------------------------------
+xpack.security.session.idleTimeout: "10m"
+--------------------------------------------------------------------------------
+--
+
+[[session-lifespan]]
+==== Session lifespan
+
+You can configure the maximum session duration or "lifespan" -- also known as
+the "absolute timeout". By default, a session stays active until the browser is
+closed. If an idle timeout is defined, a session can still be extended
+indefinitely. To define a maximum session lifespan, set the
+`xpack.security.session.lifespan` property in the `kibana.yml` configuration
+file. The lifespan is formatted as a duration of `<count>[ms|s|m|h|d|w|M|Y]`
+(e.g. '70ms', '5s', '3d', '1Y'). For example, set the lifespan to expire
+sessions after 8 hours:
+
+--
+[source,yaml]
+--------------------------------------------------------------------------------
+xpack.security.session.lifespan: "8h"
+--------------------------------------------------------------------------------
+--
+
+[[session-cleanup-interval]]
+==== Session cleanup interval
+
+You can configure the interval at which {kib} tries to remove expired and invalid sessions from the session index. By default, this value is 1 hour and cannot be less than 10 seconds. To define another interval, set the `xpack.security.session.cleanupInterval` property in the `kibana.yml` configuration file. The interval is formatted as a duration of `<count>[ms|s|m|h|d|w|M|Y]` (e.g. '70000ms', '50s', '3d', '1Y'). For example, schedule session index cleanup to be performed only once a day:
+
+--
+[source,yaml]
+--------------------------------------------------------------------------------
+xpack.security.session.cleanupInterval: "1d"
+--------------------------------------------------------------------------------
+--
+
+[IMPORTANT]
+============================================================================
+If you specify neither session idle timeout nor lifespan, then {kib} will not automatically remove session information from the index unless you explicitly log out of {kib}. This may lead to an infinitely growing session index. It's one of the reasons why we strongly recommend configuring idle timeout and lifespan settings for the {kib} sessions so that they can be eventually cleaned up even if you don't log out of {kib} explicitly.
+============================================================================

src/dev/build/tasks/os_packages/docker_generator/resources/bin/kibana-docker

@@ -235,6 +235,7 @@ kibana_vars=(
     xpack.security.sessionTimeout
     xpack.security.session.idleTimeout
     xpack.security.session.lifespan
+    xpack.security.session.cleanupInterval
     xpack.security.loginAssistanceMessage
     xpack.security.loginHelp
     xpack.spaces.enabled

x-pack/plugins/security/kibana.json

@@ -3,7 +3,7 @@
   "version": "8.0.0",
   "kibanaVersion": "kibana",
   "configPath": ["xpack", "security"],
-  "requiredPlugins": ["data", "features", "licensing"],
+  "requiredPlugins": ["data", "features", "licensing", "taskManager"],
   "optionalPlugins": ["home", "management"],
   "server": true,
   "ui": true,

x-pack/plugins/security/public/authentication/authentication_service.ts

@@ -4,7 +4,12 @@
  * you may not use this file except in compliance with the Elastic License.
  */
 
-import { ApplicationSetup, StartServicesAccessor, HttpSetup } from 'src/core/public';
+import {
+  ApplicationSetup,
+  StartServicesAccessor,
+  HttpSetup,
+  FatalErrorsSetup,
+} from 'src/core/public';
 import { AuthenticatedUser } from '../../common/model';
 import { ConfigType } from '../config';
 import { PluginStartDependencies } from '../plugin';
@@ -13,9 +18,11 @@ import { loginApp } from './login';
 import { logoutApp } from './logout';
 import { loggedOutApp } from './logged_out';
 import { overwrittenSessionApp } from './overwritten_session';
+import { captureURLApp } from './capture_url';
 
 interface SetupParams {
   application: ApplicationSetup;
+  fatalErrors: FatalErrorsSetup;
   config: ConfigType;
   http: HttpSetup;
   getStartServices: StartServicesAccessor<PluginStartDependencies>;
@@ -36,6 +43,7 @@ export interface AuthenticationServiceSetup {
 export class AuthenticationService {
   public setup({
     application,
+    fatalErrors,
     config,
     getStartServices,
     http,
@@ -48,6 +56,7 @@ export class AuthenticationService {
         .apiKeysEnabled;
 
     accessAgreementApp.create({ application, getStartServices });
+    captureURLApp.create({ application, fatalErrors, http });
     loginApp.create({ application, config, getStartServices, http });
     logoutApp.create({ application, http });
     loggedOutApp.create({ application, getStartServices, http });

x-pack/plugins/security/public/authentication/capture_url/capture_url_app.test.ts

@@ -0,0 +1,73 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+import { AppMount, ScopedHistory } from 'src/core/public';
+import { captureURLApp } from './capture_url_app';
+
+import { coreMock, scopedHistoryMock } from '../../../../../../src/core/public/mocks';
+
+describe('captureURLApp', () => {
+  beforeAll(() => {
+    Object.defineProperty(window, 'location', {
+      value: { href: 'https://some-host' },
+      writable: true,
+    });
+  });
+
+  it('properly registers application', () => {
+    const coreSetupMock = coreMock.createSetup();
+
+    captureURLApp.create(coreSetupMock);
+
+    expect(coreSetupMock.http.anonymousPaths.register).toHaveBeenCalledTimes(1);
+    expect(coreSetupMock.http.anonymousPaths.register).toHaveBeenCalledWith(
+      '/internal/security/capture-url'
+    );
+
+    expect(coreSetupMock.application.register).toHaveBeenCalledTimes(1);
+
+    const [[appRegistration]] = coreSetupMock.application.register.mock.calls;
+    expect(appRegistration).toEqual({
+      id: 'security_capture_url',
+      chromeless: true,
+      appRoute: '/internal/security/capture-url',
+      title: 'Capture URL',
+      mount: expect.any(Function),
+    });
+  });
+
+  it('properly handles captured URL', async () => {
+    window.location.href = `https://host.com/mock-base-path/internal/security/capture-url?next=${encodeURIComponent(
+      '/mock-base-path/app/home'
+    )}&providerType=saml&providerName=saml1#/?_g=()`;
+
+    const coreSetupMock = coreMock.createSetup();
+    coreSetupMock.http.post.mockResolvedValue({ location: '/mock-base-path/app/home#/?_g=()' });
+
+    captureURLApp.create(coreSetupMock);
+
+    const [[{ mount }]] = coreSetupMock.application.register.mock.calls;
+    await (mount as AppMount)({
+      element: document.createElement('div'),
+      appBasePath: '',
+      onAppLeave: jest.fn(),
+      history: (scopedHistoryMock.create() as unknown) as ScopedHistory,
+    });
+
+    expect(coreSetupMock.http.post).toHaveBeenCalledTimes(1);
+    expect(coreSetupMock.http.post).toHaveBeenCalledWith('/internal/security/login', {
+      body: JSON.stringify({
+        providerType: 'saml',
+        providerName: 'saml1',
+        currentURL: `https://host.com/mock-base-path/internal/security/capture-url?next=${encodeURIComponent(
+          '/mock-base-path/app/home'
+        )}&providerType=saml&providerName=saml1#/?_g=()`,
+      }),
+    });
+
+    expect(window.location.href).toBe('/mock-base-path/app/home#/?_g=()');
+  });
+});