Azure AD SAML auth - 403 - Forbidden

Hi, (oh wow, sorry, I obviously don't understand how to use the </> tag..)

Spent a few hours configuring and reading the documentation, and I'm getting very close to completing the setup (I feel).
But I need some help with the final sprint.

This is on a new single Elastic/Kibana cloud deployment.

The error I'm now getting after authenticating to Kibana is:
|statusCode|403|
|---|---|
|error|"Forbidden"|
|message|"Forbidden"|

Elastic config:
xpack:
security:
authc:
realms:
saml:
cloud-saml:
order: 2
attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
idp.metadata.path: "https://login.microsoftonline.com/REMOVED/federationmetadata/2007-06/federationmetadata.xml?appid=REMOVED"
idp.entity_id: "https://sts.windows.net/REMOVED/"
sp.entity_id: "https://REMOVED.eu-west-1.aws.found.io:9243/"
sp.acs: "https://REMOVED.eu-west-1.aws.found.io:9243/api/security/v1/saml"
sp.logout: "https://REMOVED.eu-west-1.aws.found.io:9243/logout"

Kibana config:
xpack.security.authProviders: [saml, basic]
server.xsrf.whitelist: [/api/security/v1/saml]
xpack.security.public:
protocol: https
hostname: REMOVED.eu-west-1.aws.found.io
port: 9243

Azure Enterprise app config:
Identifier (Entity ID) - https://REMOVED.eu-west-1.aws.found.io:9243/

Reply URL (Assertion Consumer Service URL) - https://REMOVED.eu-west-1.aws.found.io:9243/api/security/v1/saml

Added claim:
http://schemas.microsoft.com/ws/2008/06/identity/claims/role - user.assignedroles

Azure Application Registration Manifest config:
{
"allowedMemberTypes": [
"User"
],
"displayName": "Superuser",
"id": "REMOVED",
"isEnabled": true,
"description": "Superuser with administrator access",
"value": "superuser"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Kibana User",
"displayName": "Kibana User",
"id": "REMOVED",
"isEnabled": true,
"value": "kibana_user"
}

The application validation in Azure succeeds, and I can see the role is included in the SAML response.
But Elastic does not seem to agree, or is misconfigured somewhere.

Any ideas, or obvious issues here?

Solved it.
Had ignored the part about role mapping via API.

For reference if this happens to a future person: https://www.elastic.co/guide/en/elastic-stack-overview/current/saml-role-mapping.html