TL;DR
Kibana iframe embedding requires 40-80 hours of setup, 10-20 hours/month maintenance, and manual security configuration per tenant that’s error-prone. Dedicated embedded analytics solutions use signed tokens for automatic tenant isolation, offer full white-labeling, and integrate in 2-8 hours with ~50 lines of code. Choose Kibana for internal/single-tenant use; choose dedicated solutions for customer-facing multi-tenant SaaS.
Table of Contents
- Introduction
- The Fundamental Difference
- Comparison 1: Security Architecture
- Comparison 2: Multi-Tenancy Implementation
- Comparison 3: White-Label Capabilities
- Comparison 4: Development and Maintenance Effort
- Comparison 5: Query Capabilities
- Decision Framework
- The Bottom Line
- Frequently Asked Questions
- Next Steps
Introduction
You’ve built your SaaS product on Elasticsearch. Now your customers want analytics. The obvious path is Kibana , it’s already in your stack, it’s “free,” and it has dashboarding capabilities.
But Kibana was built for internal operations teams, not customer-facing SaaS products.
This guide compares the Kibana iframe approach against dedicated embedded analytics solutions across the dimensions that matter for production SaaS: security, multi-tenancy, white-labeling, and development effort.
The Fundamental Difference
Kibana’s design assumption: Trusted internal users accessing a shared system with centralized IT support.
SaaS embedded analytics requirement: Untrusted external users, each seeing only their data, with zero admin overhead.
This mismatch drives every limitation you’ll encounter with Kibana embedding.
Comparison 1: Security Architecture
Kibana Iframe Approach
Kibana requires explicit security configuration at multiple layers:
Authentication challenges:
- No native single sign-on with your application
- Double authentication problem: users log into your app, then face Kibana login
- Session management between your app and Kibana is your responsibility
- Cookie-based auth breaks with modern browser SameSite policies
Authorization complexity:
- Role-based access control must be configured in Elasticsearch
- Document-level security requires query filters in role definitions
- Misconfigured roles can expose cross-tenant data
- Security issues documented where dashboards appeared despite “none” privileges
# Example: Creating a tenant-specific role
PUT /_security/role/tenant_acme_role
{
"indices": [{
"names": ["logs-*", "metrics-*"],
"privileges": ["read"],
"query": {
"term": {"tenant_id.keyword": "acme"}
}
}],
"applications": [{
"application": "kibana-.kibana",
"privileges": ["space_read"],
"resources": ["space:tenant-acme"]
}]
}Risk: One missing query filter = data leak between customers.
Dedicated Embedded Analytics Approach
Purpose-built solutions handle security through signed tokens:
// Backend: Generate secure embed token
const token = analytics.generateEmbedToken({
userId: req.user.id,
tenantId: req.user.organizationId, // Automatic data filtering
dashboardId: 'overview',
expiresIn: '24h'
});
// Frontend: Token contains all security context
// No separate auth flow, no session managementHow it works:
- Token cryptographically signed with your secret key
- Tenant context injected into every query automatically
- Impossible for queries to return other tenants’ data
- SSO through your existing authentication
For a deeper dive into security tradeoffs, see SSO vs Secure URL Embedding.
Security Comparison Summary
| Aspect | Kibana | Dedicated Solution |
|---|---|---|
| SSO integration | Requires proxy/SAML setup | Token-based, built-in |
| Tenant isolation | Manual role configuration | Automatic per token |
| Risk of misconfiguration | High (complex rules) | Low (declarative) |
| Audit trail | Requires Elasticsearch audit logs | Built into platform |
| Breach impact | Potentially all tenants | Single token scope |
Security architecture diagram comparing Kibana iframe authentication flow vs token-based embedded analytics for Elasticsearch SaaS Kibana iframe embedding requires complex proxy/SAML authentication chains. Dedicated solutions use signed tokens that embed tenant context into every query.
Comparison 2: Multi-Tenancy Implementation
Kibana Approach: Spaces + Roles + Indices
According to Elastic’s own documentation, Kibana Spaces alone don’t prevent cross-tenant data access. You need a combination of:
- Kibana Spaces – One per tenant for dashboard isolation
- Elasticsearch roles – With document-level security queries
- Index patterns – Configured per Space
- User management – Mapping users to roles
For each new customer, you must:
# 1. Create Kibana Space
curl -X POST "localhost:5601/api/spaces/space" \
-H "kbn-xsrf: true" \
-d '{"id":"tenant-newcustomer","name":"New Customer"}'
# 2. Create Elasticsearch role with DLS
curl -X PUT "localhost:9200/_security/role/tenant_newcustomer" \
-d '{"indices":[{"names":["*"],"privileges":["read"],
"query":{"term":{"tenant_id":"newcustomer"}}}]}'
# 3. Create user with role
# 4. Configure index patterns in Space
# 5. Copy dashboard templates to Space
# Repeat for every customerScaling problems:
- Linear configuration growth per customer
- Dashboard updates must propagate to all Spaces
- Role permission drift over time
- No programmatic way to verify isolation
Dedicated Solution Approach: Token-Based Tenancy
// That's it. Tenant filtering is automatic.
const embedUrl = generateEmbedUrl({
tenantId: customer.id,
dashboardId: 'main'
});How it scales:
- Zero configuration per new customer
- Dashboard templates shared across all tenants
- Tenant filter applied at query time
- Verification: single tenant context per request
Multi-Tenancy Comparison
| Aspect | Kibana | Dedicated Solution |
|---|---|---|
| New customer setup | 5+ API calls, manual config | Zero configuration |
| Dashboard templates | Copy per Space | Shared, filtered at runtime |
| Configuration at 100 customers | 100 Spaces, 100 roles | Same as 1 customer |
| Configuration at 1000 customers | Unmanageable | Same as 1 customer |
| Drift risk | High | None |
Comparison 3: White-Label Capabilities
Kibana Iframe: Limited to None
When embedding Kibana via cross-origin iframe, you cannot:
- Remove Kibana branding and logos
- Customize navigation elements
- Change color schemes to match your brand
- Apply custom fonts
- Hide “Powered by Elastic” attributions
Why CSS injection doesn’t work:
// Browser blocks this - same-origin policy
const iframe = document.querySelector('iframe');
iframe.contentDocument.querySelector('.kibana-logo').style.display = 'none';
// Error: Blocked access to cross-origin frameYour options:
- Same-origin hosting: Run Kibana on your domain (security implications)
- Reverse proxy: Rewrite HTML responses (complex, fragile)
- Accept branding: Looks like you embedded someone else’s product
In Kibana 8.15.x, the embed=true parameter regression exposed full Kibana UI including navigation bars in embedded views.
Dedicated Solutions: Full White-Label
const dashboard = new EmbedSDK({
container: '#analytics',
token: embedToken,
// Full theming control
theme: {
primaryColor: '#4F46E5', // Your brand color
backgroundColor: '#FFFFFF',
fontFamily: 'Inter, sans-serif',
borderRadius: '8px',
headerVisible: false // Or customize header
},
// No third-party branding
whiteLabel: true
});White-Label Comparison
| Aspect | Kibana | Dedicated Solution |
|---|---|---|
| Remove vendor branding | Not possible (cross-origin) | Yes |
| Custom colors | Limited | Full control |
| Custom fonts | No | Yes |
| Custom CSS | No (iframe isolation) | Yes |
| Native look and feel | No | Yes |
For implementation details, see White-Label Embedded Analytics: Complete Guide.
Comparison 4: Development and Maintenance Effort
Kibana: Ongoing Engineering Tax
Initial implementation (estimated 40-80 hours):
- Authentication proxy or SAML configuration
- Multi-tenant Space/role architecture
- Dashboard template management
- Iframe integration and URL management
- Error handling for auth failures
Ongoing maintenance (estimated 10-20 hours/month):
- New customer provisioning
- Kibana version upgrades (breaking changes)
- Security patches – Dashboard updates across Spaces
- Troubleshooting auth/session issues
- Debugging cross-tenant data leaks
Code you’ll maintain:
// kibana-embed-service.js - A simplified version of what teams build
class KibanaEmbedService {
async provisionTenant(tenantId) {
await this.createSpace(tenantId);
await this.createRole(tenantId);
await this.createIndexPattern(tenantId);
await this.copyDashboards(tenantId);
// Error handling, retries, rollback on failure...
}
async getEmbedUrl(userId, tenantId, dashboardId) {
const session = await this.ensureSession(userId, tenantId);
// Session refresh, cookie management, URL construction...
}
// 500+ more lines of infrastructure code
}Dedicated Solution: Embed and Ship
Initial implementation (estimated 2-8 hours):
- Connect data source
- Build dashboards in visual builder
- Generate embed code
- Integrate token generation
Ongoing maintenance (estimated 0-2 hours/month):
- Dashboard updates (one place)
- Nothing per new customer
Code you’ll maintain:
// embed-service.js - The entire integration
function getEmbedToken(user) {
return signToken({
userId: user.id,
tenantId: user.organizationId,
dashboardId: 'main'
});
}Development Effort Comparison
Kibana iframe embedding requires 10-40x more setup time and ongoing maintenance compared to dedicated embedded analytics solutions.
| Aspect | Kibana | Dedicated Solution |
|---|---|---|
| Initial setup | 40-80 hours | 2-8 hours |
| Monthly maintenance | 10-20 hours | 0-2 hours |
| Lines of integration code | 500+ | <50 |
| Kibana upgrade impact | High (breaking changes) | None |
| New customer effort | Manual steps | Zero |
For a detailed build vs buy analysis, see Embedded Analytics for SaaS: Build or Buy?
Comparison 5: Query Capabilities
Kibana: KQL and Index-Bound
KQL (Kibana Query Language) has documented limitations:
- Filtering only: KQL only filters data; it has no role in aggregating, transforming, or sorting
- No regex: KQL does not support fuzzy or regex searches
- Wildcard limitations: Wildcards cannot be used when searching for “phrases”
- Single data source: Queries bound to Elasticsearch indices
For complex analytics, users must learn KQL syntax or the more complex ES|QL.
Dedicated Solutions: Multi-Source Joins
Purpose-built analytics platforms can:
- Join Elasticsearch with SQL databases at query time
- Apply transformations and aggregations in one query
- Support natural language queries for business users
- Query across indices without complex ES|QL
-- Example: Join Elasticsearch logs with MySQL customer data
SELECT
e.event_type,
e.timestamp,
c.customer_name,
c.plan_tier
FROM elasticsearch.logs e
JOIN mysql.customers c ON e.customer_id = c.id
WHERE e.timestamp > NOW() - INTERVAL 7 DAYSee How to Join Elasticsearch with Other Datasources for implementation details.
Decision Framework
Choose Kibana When:
- Dashboards are internal only (ops, DevOps, security teams)
- You have single tenant or a handful of trusted partners
- Users are technical and comfortable with KQL
- No embedding required – dashboards live in separate browser tabs
- You have engineering capacity for ongoing maintenance
Choose Dedicated Embedded Analytics When:
- Dashboards are customer-facing in your SaaS product
- You have multi-tenant requirements (10+ customers)
- Users include non-technical business users
- White-labeling matters for product perception
- Engineering time is better spent on core product
- You need to join Elasticsearch with other data sources
The Bottom Line
Kibana is a capable internal analytics tool. But embedding it in a customer-facing SaaS product means fighting its architecture at every turn:
- Security requires complex, error-prone configuration
- Multi-tenancy doesn’t scale without significant infrastructure
- White-labeling is effectively impossible
- Maintenance consumes ongoing engineering resources
Dedicated embedded analytics solutions solve these problems by design, not workaround.
Frequently Asked Questions
What is embedded analytics for Elasticsearch?
Embedded analytics lets you integrate interactive dashboards and visualizations directly into your SaaS application, powered by your Elasticsearch data. Instead of sending customers to a separate analytics tool, the dashboards appear natively inside your product with your branding, authentication, and data isolation built in.
Can I embed Kibana dashboards in my SaaS product?
You can embed Kibana via iframe, but it wasn’t designed for this use case. You’ll face double authentication prompts, no white-labeling (browser security blocks CSS injection into cross-origin iframes), manual multi-tenant configuration per customer, and performance overhead from loading Kibana’s full UI bundle.
What’s the difference between Kibana embedding and dedicated embedded analytics?
Kibana embedding wraps an internal tool in an iframe and requires you to build authentication, multi-tenancy, and security infrastructure yourself. Dedicated embedded analytics solutions are purpose-built for customer-facing use, they provide token-based authentication, automatic tenant isolation, full white-labeling, and SDK-based integration out of the box.
How does multi-tenancy work with Elasticsearch embedded analytics?
With dedicated solutions, multi-tenancy is token-based. Your backend generates a signed embed token containing the tenant ID, and the platform automatically filters every Elasticsearch query to that tenant’s data. No per-customer Spaces, roles, or index patterns to configure, scaling from 1 to 1,000 customers requires zero additional setup.
Is it safe to embed Elasticsearch data in customer-facing dashboards?
Yes, when using a purpose-built solution. Token-based embedding cryptographically signs tenant context into each request, making cross-tenant data access impossible. With Kibana iframe embedding, security depends on correctly configuring Elasticsearch roles and document-level security for each customer, a complex, error-prone process.
How long does it take to implement Elasticsearch embedded analytics?
With a dedicated platform, initial implementation typically takes 2-8 hours: connect your Elasticsearch cluster, build dashboards in the visual builder, and integrate the embed token in your app. Kibana iframe embedding typically requires 40-80 hours for initial setup plus 10-20 hours per month of ongoing maintenance.
Can embedded analytics query Elasticsearch and SQL databases together?
Dedicated platforms like Knowi support cross-source joins, letting you combine Elasticsearch data with MySQL, PostgreSQL, or other databases at query time without ETL. Kibana can only query Elasticsearch indices.
Next Steps
Evaluating your options?
- Compare: Best Tools for Elasticsearch Analytics: Kibana vs Knowi vs Grafana
- Learn: How to Build Embedded Analytics: Architecture Guide
- Explore: Native Elasticsearch Analytics Platform
Request a Demo → See how you can embed elasticsearch analytics without the limitations of Kibana
