Elasticsearch SAML problems

Hello,

we are currently trying to integrate a SAML authentication with Azure Entra ID for one of our customers.
We followed the guide from Set up SAML with Microsoft Entra ID

The configuration is as follows (identifiers replaced with general text):

elasticsearch.yml

      xpack.security.authc.realms.saml.entraidsaml.order: 2
      xpack.security.authc.realms.saml.entraidsaml.attributes.principal: nameid
      xpack.security.authc.realms.saml.entraidsaml.attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
      xpack.security.authc.realms.saml.entraidsaml.idp.metadata.path: "https://login.microsoftonline.com/<Tenant-ID>/federationmetadata/2007-06/federationmetadata.xml?appid=<APP-ID>"
      xpack.security.authc.realms.saml.entraidsaml.idp.entity_id: "https://sts.windows.net/<Tenant-ID>/"
      xpack.security.authc.realms.saml.entraidsaml.sp.entity_id: "<NAME>"
      xpack.security.authc.realms.saml.entraidsaml.sp.acs: "https://<NAME>/api/security/saml/callback"
      xpack.security.authc.realms.saml.entraidsaml.sp.logout: "https://<NAME>/logout"

kibana.yml

    xpack.security.authc.providers.basic.localauth.order: 0
    xpack.security.authc.providers.saml.entraidsaml.order: 2
    xpack.security.authc.providers.saml.entraidsaml.realm: entraidsaml
    xpack.security.authc.providers.saml.entraidsaml.description: "<Nice text>"
    xpack.security.authc.providers.saml.entraidsaml.icon: "<Nice icon>"

Role-Mapping

POST /_security/role_mapping/SAML_kibana
{
    "enabled": true,
    "roles": [ "<Custom role>" ],
    "rules" : {
      "all" : [
        {
          "field" : {
            "realm.name" : "entraidsaml"
          }
        },
        {
          "field" : {
            "groups" : [
              "<GROUP NAME>"
            ]
          }
        }
      ]
    },
    "metadata": { "version": 1 }
}

The application inside Azure is configured as in the guide.
When we try to login with a user that is a member of , we are greeted with an error message

You do not have permission to access the requested page

To verify that our problem lies within the matching role, we tried the following:

  • Check by creating a local user -> works fine, local user can login and see everything that is granted by that role
  • Check if the SAML configuration even works by removing the groups field from the role mapping -> works, any user from the customer tenant can login and is granted the role

So we verified that both the elastic role and the SAML authentication by itself work, just including that group name like described in the guide makes it not usable.
We cannot see anything wrong here and are out of ideas on what to troubleshoot next.

Have you checked your Elasticsearch logs?
Do your symptoms match any of the scenarios in the troubleshooting guide?

First of all, we were able to figure out a working solution.

The elasticsearch logs weren't really helpful or maybe we checked at the wrong place.
We checked the Kibana Logs for the logins and while we got that missing permission notice, no login was logged into the kibana log.

The problem was solved though when we switched around 2 things:

  1. We changed the group claim in the Azure App from sAMAccountName to Group ID.
  2. We changed the Role Mapping to use the corresponding Group Object ID.

This solved our problem and at least from our point of view, it is an even better solution than using the clear name because the Object ID is unique while a clear name could be used again after deleting and re-adding the group.

We are still not 100% sure why the sAMAccountName didn't work though but as we have a working solution now, we are fine with it.

Just wanted to clarify if anyone finds this topic.