Delegate Authorization from Saml

I have setup single sign-on via saml and also completed a basic role map. I will like to switch from using role mapping to delegated authorization. So users authenticate via saml but authorization is handled by different realm. I have been reading this doc but cant get it right. This is how the elasticsearchyml looks like;

xpack.license.self_generated.type: trial
xpack.security.enabled: true

xpack.security.authc.realms.saml.kibana-realm:
            order: 2
            attributes.principal: nameid
            attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
            idp.metadata.path: "https://login.microsoftonline.com/xxxxx/federationmetadata/2007-06/federationmetadata.xml?appid=xxxxxx"
            idp.entity_id: "https://sts.windows.net/xxxxxxxxxx/"
            sp.entity_id: "https://kibana.example.net"
            sp.acs: "https://kibana.example.net/api/security/saml/callback"
            sp.logout: "https://kibana.example.net/logout"
   
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack:
  security:
    authc:
      realms:
        native:
          native1:
            order: 0
        active_directory:
          my_ad:
            order: 1
            domain_name: prd1.example.net
            url: ldap://prd1.example.net:389
            bind_dn: 'CN=sa01.adscan,OU=Service Accounts,OU=Users,OU=TCS,DC=prd1,DC=example,DC=net'

And kibana.yml looks like this

xpack.security.authc.providers:
  saml.saml1:
    order: 0
    realm: kibana-realm
    description: "Log in with Azure AD"

So I will like to delegate saml authorization to native and active directory. How do I do that? I have tried adding this code to the saml-realm code block but it did not work.

 authorization_realms: my_ad

How do I delegate authorization to the realms 'native1' and 'my_ad' ?

but it did not work.

More information please.

Did you get an error? See message in the logs? What steps did you to take to determine whether it was working?

You've provided a great level of detail on your goal and current config, but missed the important bit about what went wrong.

I go an error that reads as follows;
"We couldn't log you in.
We hit an authentication error. Please check your credentials and try again. If you still can't log in, contact your system administrator"

It sounds like you need to look at the Kibana logs (and probably the Elasticsearch logs as well).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.