I keep getting user ghardy is unauthorised. In my Okta I have create the elasticadmins group, and assigned my user to that group. I am just lost to why it doesn't seem to be putting my user as a superuser.
Nit picking here but so that we're on the same page: This is a role mapping rule and what it does is that it assigns roles ( kibana_user ) in this case, to users that have authenticated via the SAML realm with name cloud-saml . You are not sharing how you are creating those, but keep in mind that different role mappings need to have different names ( part of the URI when you send the request to Elasticsearch ) , otherwise you are overwriting the existing ones with the new ones.
Your configuration looks good to me and matches what I've seen being required integrating with Okta. My guess is that either:
Okta is not configured to send the group membership attribute
Okta is configured to send the group membership attribute but the attribute name is not groups (as your configuration implies)
Okta is configured to send the group membership attribute, and its name is groups, but your user ( ghardy) is not member of that group.
I would suggest that you
Check your Okta configuration to verify that the group membership attribute is named group and is also sent in the SAML Responses ( IIRC the section in Okta is named "Group Attribute Statements" )
When the first role mapping is assigned, and you can login to Kibana, go to the Dev Tools section and execute the following query:
GET /_security/_authenticate
This would show you roles that your user is currently assigned, but also all the SAML attributes that were sent from Okta for your user, under the "metadata" section of the response. This will show you if the group membership is sent from Okta, under which attribute name and with which value.
Are you saying that attributes.groups: "groups" in my elasticsearch.yml tat "groups" should match a group in my Okta, so if I have a Devops group, this should be "Devops"?
Are you saying that attributes.groups: "groups" in my elasticsearch.yml tat "groups" should match a group in my Okta, so if I have a Devops group, this should be "Devops" ?
No, not exactly. In attributes.groups: "groups" in your elasticsearch.yml, "groups" should match the name of the attribute in Okta, not its value. That was correctly configured from the start.
That part in the response shows that okta was not sending any group information to elasticsearch ( otherwise you would see it here along with the nameid in the metadata ) and this is why your role mapping was not working.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.