License expiration for security features

[legrego]

Many of our security features are available for free under Elastic's Basic License, but some of the more complex or esoteric features are only available under a paid license.

We have historically been lenient at best, and inconsistent at worst when licenses expire. We should research and remediate any shortcomings we have with respect to license enforcement. Specifically:

1. When a license expires, ensure that all features licensed under our Basic (free) tier continue to function without restrictions.
   a) User Management
   b) Role Management, without sub-feature privileges
   c) Authentication via our basic and token auth providers
2. When a license expires, ensure that all paid features stop working. This includes, but is not limited to the following:
   a) Paid authentication providers (SAML, OIDC, Kerberos, PKI). It might suffice to rely on Elasticsearch for this check, although a better UX would be to mark them as disabled in the access agreement login selector UI. See also Better error handling when SAML realm is not available under current license #60337, SAML config - error message displayed when a license which is any less than platinum is applied, can be improved.  #34592
   b) Access Agreement UI: should no longer be part of the login flow
   c) Sub-feature privileges: should no longer be configurable. I believe this is already resolved, just mentioning it for completeness
   d) Role Mappings UI: should no longer be visible under the Stack Management application. I believe this is already resolved, just mentioning it for completeness

[elasticmachine]

Pinging @elastic/kibana-security (Team:Security)

[azasypkin]

a) Paid authentication providers (SAML, OIDC, Kerberos, PKI). It might suffice to rely on Elasticsearch for this check, although a better UX would be to mark them as disabled in the access agreement UI. See also #60337, #34592

That's a good idea (assuming you meant access agreement UI ---> login selector UI)! And we also should figure out a way to display something like this when Login Selector isn't enabled (e.g. when users have just SAML and don't need login selector).

[legrego]

That's a good idea (assuming you meant access agreement UI ---> login selector UI)!

Yup, good catch. I updated the original description 😄

And we also should figure out a way to display something like this when Login Selector isn't enabled (e.g. when users have just SAML and don't need login selector).

Yes that's a great call!