Dynamic filtering of indices based on SAML attributes

I want to dynamically filter a dashboard based on a user's SAML attributes. Here are the basics of my attempts so far...

I've setup a special field in my user's metadata, we'll call it filter_id. If you hit the authenticate endpoint (GET /_security/_authenticate) it returns back a lot of attributes, here's an abbreviated version...

  "username" : "jane.doe@gmail.com",
  "roles" : [
  "metadata" : {
    "saml(http://schemas.auth0.com/filter_id)" : [

The hub-test role allows us to access all indices such as `listings_*. And within the granted documents query we limit access based on saml attribute. here's a screenshot of what that looks like in Kibana...

All should be good right? Nope :frowning: With a simple dashboard that displays the total count, 0 documents are returned. Now if I remove the {{ }} dynamic insertion and hard code the value of filter_id as it was received from the GET /_security/_authenticate endpoint above ("special-filter-id"), voila! We get 77 documents. Here is a screenshot showing that setup and the resulting dashboard

With all the background info and setup out of the way, here's my question...how can I get this working properly?! I've tried numerous incantations to get the SAML attribute correctly inserted into the template query, but no luck so far. Perhaps I need to configure my IDP (auth0) to massage the attributes into a form that Kibana can understand?? Any help would be greatly appreciated on this matter.

Following up on my own thread as I've resolved my issue.

Turns out, mustache doesn't like the "out of the box" saml attributes so I had to remap the attributes in Auth0 to be friendly. By removing the dots and slashes and grabbing the first item from the array (unsuccessful getting auth0 to send a string rather than an array of strings) elastic was able to successfully parse the template. Here is what it ended up looking like...

{"template" : {
          "source" : {
            "term" : { "_index" : "{{_user.metadata.saml(saml_filter_id).0}}"}
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.