Configure Elasticsearch to use SSO by OIDC - Groups claim is not mapped correctly

Ismaeel_Enjreny · September 25, 2021, 12:28pm

We are trying to configure Elasticsearch so uses can login using SSO feature based on oidc protocol, everything is working fine till we tried to map claims.groups.

The Identity Provider send groups as JSON array but it seems Elasticsearch expects it as string, here Elasticsearch throws the following error when it tries to get user information from UserInfo end point

Caused by: java.lang.IllegalStateException: Error merging ID token and userinfo claim value for claim [groups]. Cannot merge [com.nimbusds.jose.shaded.json.JSONArray] with [java.lang.String]

The configuration we have is as following

xpack.security.authc.realms.oidc.oidc1:
  order: 2
  rp.client_id: "HT57sBPfQCVUnT1P8U34kmkL0gAa"
  rp.response_type: code
  rp.redirect_uri: "http://localhost:5601/api/security/oidc/callback"
  op.issuer: "https://localhost:9443/oauth2/token"
  op.authorization_endpoint: "https://localhost:9443/oauth2/authorize"
  op.token_endpoint: "https://localhost:9443/oauth2/token"
  op.jwkset_path: "https://localhost:9443/oauth2/jwks"
  op.userinfo_endpoint: "https://localhost:9443/oauth2/userinfo"
  op.endsession_endpoint: "https://localhost:9443/oidc/logout"
  rp.post_logout_redirect_uri: "http://localhost:5601/security/logged_out"
  ssl.certificate_authorities: ["oidc/wso2carbon.cer"]
  claims.principal: sub
  claims.groups: groups
  claims.name: name
  claims.mail: email

We can't change the identity provider to return string because it is ready made product, what do you suggest to resolve this issue and what the exact format which is expected by Elasticsearch to map groups claim correctly (i.e. group1,group2,...)

Thanks

ikakavas · September 28, 2021, 10:06am

The OP sends an array in the ID token and a string in the userinfo endpoint response, and elasticsearch doesn't know how it is supposed to merge these. Can't you configure the OP to send the same type of value for the groups claim in both the ID token and the response of the Userinfo endpoint ?

Alternatively, if all information you need is in the ID token and you don't have to query the userinfo endpoint, you can remove the

op.userinfo_endpoint: "https://localhost:9443/oauth2/userinfo"

line from your configuration entirely.

Ismaeel_Enjreny · September 28, 2021, 10:51am

Thanks ikakavas, after commenting the line every is working fine

system · October 26, 2021, 10:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
OIDC with Elasticsearch Elasticsearch elastic-stack-security	3	2344	February 22, 2021
Failed to authenticate user with OpenID Connect Elasticsearch elastic-stack-security	8	4396	March 5, 2020
OIDC role mapping not working Elasticsearch elastic-stack-security	3	283	February 19, 2024
Google OIDC SSO with Mapping (Google) Groups onto (Kibana) Roles Elasticsearch elastic-stack-security	3	2759	June 1, 2021
Unable to configure oidc Elasticsearch elastic-stack-security	7	2809	June 27, 2020

Configure Elasticsearch to use SSO by OIDC - Groups claim is not mapped correctly

Related topics