After enabling SAML Role mapping not working

Hi Chaps,

I am trying to configure SSO in On-premises Elasticsearch setup. After configuring SAML (Azure AD) users are able to login to domain password. But users are not been restricted based the roles which i defined. If i set only one role to view one set of indexes alone, it works fine as expected. if I add other Role mapping to allow users to view selective indexes, it consider both roles and whatever usesr I am adding at AD end it give both permission to them.

These are working fine for local users, but this issue persist only on SAML configs. Please help to fix this.



What exactly are the role mapping rules you are using? Based on the screenshot, they look identical to me (both based on realm.name). If you want to grant users from the same AD with different roles, you need differentiate these users based on something that is not just realm.name.

Hi,

But we have only 4 options (username,groups,DN) to declare in the role mapping apart from real.name. I am trying to grant user privileges from same AD with different roles. I thought that users will be differentiate based on the roles which we create. from AD end end whenever users I am adding i will assign the role accordingly, based on that role assigned the user will get access isn't?
I am sharing the role mapping setting for both for referrence, just let me know is this right one.
Produser rolemapping:

Nonproduser role mapping:

if i need to differentiate te users which coming from same ad, what value do i need to provide in rule options apart from realm.name ? if i have 5 roles to be create then how it is feasible here. Please suggest.

If u have groups in AD, you'll need to add conditions in ur role mappings to require those groups. That way different AD groups get different roles in elastic.