Configure Elasticsearch to use SSO by OIDC - Groups claim is not mapped correctly

We are trying to configure Elasticsearch so uses can login using SSO feature based on oidc protocol, everything is working fine till we tried to map claims.groups.

The Identity Provider send groups as JSON array but it seems Elasticsearch expects it as string, here Elasticsearch throws the following error when it tries to get user information from UserInfo end point

Caused by: java.lang.IllegalStateException: Error merging ID token and userinfo claim value for claim [groups]. Cannot merge [com.nimbusds.jose.shaded.json.JSONArray] with [java.lang.String]

The configuration we have is as following
  order: 2
  rp.client_id: "HT57sBPfQCVUnT1P8U34kmkL0gAa"
  rp.response_type: code
  rp.redirect_uri: "http://localhost:5601/api/security/oidc/callback"
  op.issuer: "https://localhost:9443/oauth2/token"
  op.authorization_endpoint: "https://localhost:9443/oauth2/authorize"
  op.token_endpoint: "https://localhost:9443/oauth2/token"
  op.jwkset_path: "https://localhost:9443/oauth2/jwks"
  op.userinfo_endpoint: "https://localhost:9443/oauth2/userinfo"
  op.endsession_endpoint: "https://localhost:9443/oidc/logout"
  rp.post_logout_redirect_uri: "http://localhost:5601/security/logged_out"
  ssl.certificate_authorities: ["oidc/wso2carbon.cer"]
  claims.principal: sub
  claims.groups: groups name
  claims.mail: email

We can't change the identity provider to return string because it is ready made product, what do you suggest to resolve this issue and what the exact format which is expected by Elasticsearch to map groups claim correctly (i.e. group1,group2,...)


The OP sends an array in the ID token and a string in the userinfo endpoint response, and Elasticsearch doesn't know how it is supposed to merge these. Can't you configure the OP to send the same type of value for the groups claim in both the ID token and the response of the Userinfo endpoint ?

Alternatively, if all information you need is in the ID token and you don't have to query the userinfo endpoint, you can remove the

op.userinfo_endpoint: "https://localhost:9443/oauth2/userinfo"

line from your configuration entirely.

Thanks ikakavas, after commenting the line every is working fine

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.