Elastic Cloud: Defining roles to user in Okta using SAML

Buddha · September 15, 2023, 4:02pm

Hello,

Right now, I'm defining roles for user using the security api

POST /_security/role_mapping/viewer_mapping
{
  "roles": [ "custome_role_viewer"],
  "enabled": true, 
  "rules": {
    "field" : { "username" : ["username.one@email.com", "username.two@email.com"] }
  },
  "metadata" : { 
    "version" : 1
  }
}

POST /_security/role_mapping/admin_mapping
{
  "roles": [ "custome_role_admin"],
  "enabled": true, 
  "rules": {
    "field" : { "username" : ["username.eight@email.com", "username.nine@email.com"] }
  },
  "metadata" : { 
    "version" : 1
  }
}

I would like to handle this within Otka, is this possible?

Mike

TimV · September 20, 2023, 1:59am

Yes.

What fields do you have in Okta that you want to use for this?

The usual approach is to configure Okta to send a list of groups or teams within the SAML assertion, and them map those teams to Elasticsearch roles.
That prevents internal ES role names from being embedded in Okta configuration - the on-wire protocol represents your organisational structure and ES knows how to map your org structure into specific roles.
You can, however, send actual role names across to ES and automatically assign them to users if you want to align your ES role names to a set of names that exist in Okta.

The Create role mappings API docs have examples of both options.

Create or update role mappings API | Elasticsearch Guide [8.11] | Elastic

system · October 18, 2023, 1:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.