Somewhere outside of Elasticsearch, you have an identity provider with a list of users.
In the blog that you refer to, that identity provider is ADFS, with Auth0 in front it. You don't say what your identity store is, so I'm just going to call it "ADFS".
When using OIDC (or SAML) your users don't exist in Elasticsearch, they only exist in ADFS.
So when you say:
grant access based on the user role for realm users?
That doesn't really mean anything because those users don't exist in Elasticsearch, so it's not really meaningful to talk about them having roles.
But, those users do exist inside of ADFS. Within ADFS your users will have various properties. If you really are using ADFS, then presumably those users actually exist in AD-DomainServices. And in domain services they have a user principal name, a real name, some groups, etc.
I assume that you want to use those properties (that come from the users in your identity store) to determine what access they should have in Elasticsearch.
For example, you might say
Users who are in the Elasticsearch Administrators
group in AD should have the superuser
role in Elasticsearch.
That's a role mapping.
But, because you are using OpenIDConnect on top of AD(FS) the process is a little more complicated.
OpenID Connect doesn't have a builtin concept of "groups". OIDC uses a JSON Web Token, and JWT has claims about users, but there is no standard claim for "groups".
Each OIDC OP/IdP (such as Auth0) has to decide whether to provide a list of "groups" in the JWT and what to call it. Some OPs might call that claim groups
, some might calls it roles
, and some might use a URI instead like http://schemas.microsoft.com/ws/2008/06/identity/claims/role
Elasticsearch has no way of knowing whether your OP will provide a list of groups, and what the claim name will be. You need to configure Elasticsearch with that information. That is what the claims.groups
setting is. It's the way you tell Elasticsearch where to find the group information (if any exists) in your OIDC JWTs.
If you set that up correctly, so that the Elasticsearch OIDC realm understands the groups that your OP sends to across in the JWT, then you can create a role mapping like this example from the docs:
PUT /_security/role_mapping/oidc-finance
{
"roles": [ "finance_data" ],
"enabled": true,
"rules": { "all": [
{ "field": { "realm.name": "oidc1" } },
{ "field": { "groups": "finance-team" } }
] }
}
That says, if the user authenticates using the "oidc1" realm, and the JWT tells us that they are a member of the finance-team
group in the identity store, then they should get the finance_data
role in Elasticsearch.