Elasticsearch SAML integration while using HTTP-Redirect

SAML does not support mapping files.
Which part of the docs lead you to believe it did?

in this role mapping file
it shows how to uses the file-based method to map group to role, the user can be from Active Directory , so i think maybe the users who authenticate via SAML can also use it.

I have a question when i use role mapping API
if i have created a mapping role ,
curl -X PUT "https://X.X.X.X:9200/_xpack/security/role_mapping/" -H 'Content-Type: application/json' -d'
"roles": [ "superuser" ],
"enabled": true,
"rules": { "all": [
{ "field": { "realm.name": "saml3" } },
{ "field": { "metadate.saml(Email)": "Dengfeng.Nguyen@Honeywell.com" } }
] }
i want to add user to this mapping, or i want to remove user in this mapping, do you have related API?

HI Ikakavas
my configuration
attributes.principal: "Email"
attribute_patterns.principal: "^([^@]+)@Honeywell.com$"

in my understanding i can extract username from email . if my email name is Dengfeng,Nguyen@Honeywell.com, so my username will be Dengfeng,Nguyen.

But when i try to get the user's information
curl -X GET "https://x.x.x.x:9200/_xpack/security/user/Dengfeng.Nguyen"
it just return {}
can you tell me how to get the user's information who authenticate via SAML

The Users API returns information about users in the Native realm. It will not show SAML users.

If you want to know which users are authenticating via SAML, then you need to use the audit log.

In addition to what Tim has mentioned, if you are authenticated yourself as the user of which you want to get the information, you can use the _authenticate API to get it.

HI ikakavas
I have some questions about group mapping.
from this role mapping we can mapping group to different role . i think if the SAML session contain one group message it will work very well.
1 Can you tell me the situation that SAML session contain multi-groups, does the ELK can parse the group info?
2 if the answer is yes, does the ELK just pick the group configured in role_mapping, and ignore others group message?
3 if one user both in group "user" and group “developer”, will he have the full permission of the both groups or just have one of groups' permission.

I believe the Role Mapping API docs cover everything you are asking:

Got it ,thank you

I have a problem when i logout the kibana, when i click the Logout, the kibana will reload, and than login the kibana again. that's mean i can not logout.
my configuration in elastic is
sp.acs: "https://sent2-kibana-dev.dsentience.net:443/api/security/v1/saml"
sp.logout: "https://sent2-kibana-dev.dsentience.net:443/logout"

Can you tell the situation that SAML session contain two groups
one is top grpup "cn=elastic_user,ou=internal,o=Honeywell"
another is subgroup "cn=GroupAdministrator,cn=elastic_user,ou=internal,o=Honeywell"

if i only map subgroup to a role, the user in the subgroup have no permission related to the role.

Multiple groups should work fine.
You'll need to look at the logs and try and see what's going wrong for you.

Is there sub group concept in ELK?
if we need map one group to one role. we just need call the api below no matter the group is top group or sub group.
curl -X PUT "https://x.x.x.x:9200/_xpack/security/role_mapping/mapping" -H 'Content-Type: application/json' -d'
"roles": [ "kibana_user", "machine_learning_user" ],
"enabled": true,
"rules": { "all": [
{ "field": { "realm.name": "saml3" } },
{ "field": { "metadata.saml(Group)": "cn=elastic_user,ou=internal,o=honeywell" } }
] }

What does sub-group mean to you?
We take the groups in the SAML assertion, and pass it through role-mapping. If the group is listed in the assertion, it should work.

for example
top group is "cn=elastic_user,ou=internal,o=Honeywell".
the subgroup "cn=GroupAdministrator,cn=elastic_user,ou=internal,o=Honeywell", and this group is part of the top group.


Can you give me some advice about logging out the kibana, when i click the Logout, the kibana will reload, and than login the kibana again. that's mean i can not logout.
my configuration in elastic is
sp.acs: "https://sent2-kibana-dev.dsentience.net:443/api/security/v1/saml"
sp.logout: "https://sent2-kibana-dev.dsentience.net:443/logout"

i have checked the matadate file provided by IDP, but i can not find any information about SingleLogoutService, is that mean the idp do not support single logout?

another question is can i just logout without single logout? if i can , how to configure the ELK?

i got the answer from here
thank you

I have some question about Session Control and Timeout
1 Does the ELK will limit the number of active concurrent sessions that are allowed for each account as appropriate.

2 the idp team provide me one Logout URL, i want to goto this URL when i click the logout, can you tell how to configure it?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.