Elastic Role Mapping from IdP Role/Group

Hi Elastic Forum,

How is the role mapping working on elastic that integrating with IdP? In the mapping rules, we have fields like username, dn, realm.name.

By creating role mapping and adding realm.name on mapping rule, all the user will get the same roles.

But how if the purpose is to grant access based on the user role for realm users? Like apm_user, superuser, kibana_user, etc (have some users with different roles).

In this documentation Configuring role mappings | Elasticsearch Reference [master] | Elastic, it's mentioned about claims.groups:

If your OP has the ability to provide groups or roles to RPs via tha use of an OpenID Claim, then you should map this claim to the claims.groups setting in the Elasticsearch realm (see Mapping claims to user properties), and then make use of it in a role mapping as per the example below.

This mapping grants the Elasticsearch finance_data role, to any users who authenticate via the oidc1 realm with the finance-team group membership.

But I don't really get what is the value for claims.groups.

Here is the reference that I am following:

Somewhere outside of Elasticsearch, you have an identity provider with a list of users.
In the blog that you refer to, that identity provider is ADFS, with Auth0 in front it. You don't say what your identity store is, so I'm just going to call it "ADFS".

When using OIDC (or SAML) your users don't exist in Elasticsearch, they only exist in ADFS.
So when you say:

grant access based on the user role for realm users?

That doesn't really mean anything because those users don't exist in Elasticsearch, so it's not really meaningful to talk about them having roles.

But, those users do exist inside of ADFS. Within ADFS your users will have various properties. If you really are using ADFS, then presumably those users actually exist in AD-DomainServices. And in domain services they have a user principal name, a real name, some groups, etc.
I assume that you want to use those properties (that come from the users in your identity store) to determine what access they should have in Elasticsearch.

For example, you might say
Users who are in the Elasticsearch Administrators group in AD should have the superuser role in Elasticsearch.
That's a role mapping.

But, because you are using OpenIDConnect on top of AD(FS) the process is a little more complicated.
OpenID Connect doesn't have a builtin concept of "groups". OIDC uses a JSON Web Token, and JWT has claims about users, but there is no standard claim for "groups".

Each OIDC OP/IdP (such as Auth0) has to decide whether to provide a list of "groups" in the JWT and what to call it. Some OPs might call that claim groups, some might calls it roles, and some might use a URI instead like http://schemas.microsoft.com/ws/2008/06/identity/claims/role

Elasticsearch has no way of knowing whether your OP will provide a list of groups, and what the claim name will be. You need to configure Elasticsearch with that information. That is what the claims.groups setting is. It's the way you tell Elasticsearch where to find the group information (if any exists) in your OIDC JWTs.

If you set that up correctly, so that the Elasticsearch OIDC realm understands the groups that your OP sends to across in the JWT, then you can create a role mapping like this example from the docs:

PUT /_security/role_mapping/oidc-finance
{
  "roles": [ "finance_data" ],
  "enabled": true,
  "rules": { "all": [
        { "field": { "realm.name": "oidc1" } },
        { "field": { "groups": "finance-team" } }
  ] }
}

That says, if the user authenticates using the "oidc1" realm, and the JWT tells us that they are a member of the finance-team group in the identity store, then they should get the finance_data role in Elasticsearch.

Hi @TimV

Thanks for the explanation.

I am trying some IdP like Auth0 and FusionAuth. In this case, I want to mapping role/group in the FusionAuth openid to elastic. I saw in the sample about the claims.groups, but not really clear about the URL value, is that the group name or group endpoint and generated from IdP or not?

Which example uses a URL for claims.groups?

The claims.* values are not URLs. They are names. Sometimes (but not frequently) OIDC providers will use URIs to name their JWT claims, but they are always used as identifiers, never as locators.

What you need to find out is, for your JWT issuer (Auth0 or FusionAuth), what is the name of the JWT claim that they use to provide groups or roles to RPs?

According to the FusionAuth docs, they use "roles" for this. So, if you want to use native FusionAuth roles to represent your user's groups for Elasticsearch role mapping, then you would set:

    claims.groups: "roles"