I have setup single sign-on via saml and also completed a basic role map. I will like to switch from using role mapping to delegated authorization. So users authenticate via saml but authorization is handled by different realm. I have been reading this doc but cant get it right. This is how the elasticsearchyml looks like;
xpack.license.self_generated.type: trial
xpack.security.enabled: true
xpack.security.authc.realms.saml.kibana-realm:
order: 2
attributes.principal: nameid
attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
idp.metadata.path: "https://login.microsoftonline.com/xxxxx/federationmetadata/2007-06/federationmetadata.xml?appid=xxxxxx"
idp.entity_id: "https://sts.windows.net/xxxxxxxxxx/"
sp.entity_id: "https://kibana.example.net"
sp.acs: "https://kibana.example.net/api/security/saml/callback"
sp.logout: "https://kibana.example.net/logout"
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
xpack:
security:
authc:
realms:
native:
native1:
order: 0
active_directory:
my_ad:
order: 1
domain_name: prd1.example.net
url: ldap://prd1.example.net:389
bind_dn: 'CN=sa01.adscan,OU=Service Accounts,OU=Users,OU=TCS,DC=prd1,DC=example,DC=net'
And kibana.yml looks like this
xpack.security.authc.providers:
saml.saml1:
order: 0
realm: kibana-realm
description: "Log in with Azure AD"
So I will like to delegate saml authorization to native and active directory. How do I do that? I have tried adding this code to the saml-realm code block but it did not work.
authorization_realms: my_ad
How do I delegate authorization to the realms 'native1' and 'my_ad' ?