We are trying to configure Elasticsearch so uses can login using SSO feature based on oidc protocol, everything is working fine till we tried to map claims.groups.
The Identity Provider send groups as JSON array but it seems Elasticsearch expects it as string, here Elasticsearch throws the following error when it tries to get user information from UserInfo end point
Caused by: java.lang.IllegalStateException: Error merging ID token and userinfo claim value for claim [groups]. Cannot merge [com.nimbusds.jose.shaded.json.JSONArray] with [java.lang.String]
The configuration we have is as following
xpack.security.authc.realms.oidc.oidc1: order: 2 rp.client_id: "HT57sBPfQCVUnT1P8U34kmkL0gAa" rp.response_type: code rp.redirect_uri: "http://localhost:5601/api/security/oidc/callback" op.issuer: "https://localhost:9443/oauth2/token" op.authorization_endpoint: "https://localhost:9443/oauth2/authorize" op.token_endpoint: "https://localhost:9443/oauth2/token" op.jwkset_path: "https://localhost:9443/oauth2/jwks" op.userinfo_endpoint: "https://localhost:9443/oauth2/userinfo" op.endsession_endpoint: "https://localhost:9443/oidc/logout" rp.post_logout_redirect_uri: "http://localhost:5601/security/logged_out" ssl.certificate_authorities: ["oidc/wso2carbon.cer"] claims.principal: sub claims.groups: groups claims.name: name claims.mail: email
We can't change the identity provider to return string because it is ready made product, what do you suggest to resolve this issue and what the exact format which is expected by Elasticsearch to map groups claim correctly (i.e. group1,group2,...)