A separate Apache vhost cas-logstash.wikimedia.org has been added which uses mod_auth_cas (along with the necessary cert changes) and registered as a service in CAS. The login logic on the Apache level works fine, but there are a number of issues running the Kibana web app with mod_cas.
Kibana 7 (which is being enabled with cas-logstash.wikimedia.org) added various built-in CSP features which don't work with an auth workflow which redirects to the IDP.
Elastic added a new config knob to configure the CSP policy and I created a setting which is based on the default policy shipped in the deb along with allowing wikimedia.org sub domains:
csp.rules: - "script-src 'unsafe-eval' 'unsafe-inline' 'self' https://*.wikimedia.org http://*.wikimedia.org" - "worker-src blob:" - "child-src blob:" - "style-src 'unsafe-inline' 'self' https://*.wikimedia.org http://*.wikimedia.org"
- The resource from “https://idp.wikimedia.org/login?service=http%3a%2f%2fcas-log…2fnode_modules%2f%40kbn%2fui-framework%2fdist%2fkui_dark.css” was blocked due to MIME type (“”) mismatch (X-Content-Type-Options: nosniff).
- Blocked loading mixed active content “http://cas-logstash.wikimedia.org/node_modules/@kbn/ui-frame…ui_dark.css?ticket=ST-50-wzGz--TQ6JCfMzauKnPhTX54Q-4-idp2001”
The latter is probably solvable by changes to the vhost, not sure about the former, needs more debugging, whether and how we can integrate this with mod_cas or whether we'll need to wait for some native SAML authentication in Kibana)