Hello,
we are currently trying to integrate a SAML authentication with Azure Entra ID for one of our customers.
We followed the guide from Set up SAML with Microsoft Entra ID
The configuration is as follows (identifiers replaced with general text):
elasticsearch.yml
xpack.security.authc.realms.saml.entraidsaml.order: 2
xpack.security.authc.realms.saml.entraidsaml.attributes.principal: nameid
xpack.security.authc.realms.saml.entraidsaml.attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
xpack.security.authc.realms.saml.entraidsaml.idp.metadata.path: "https://login.microsoftonline.com/<Tenant-ID>/federationmetadata/2007-06/federationmetadata.xml?appid=<APP-ID>"
xpack.security.authc.realms.saml.entraidsaml.idp.entity_id: "https://sts.windows.net/<Tenant-ID>/"
xpack.security.authc.realms.saml.entraidsaml.sp.entity_id: "<NAME>"
xpack.security.authc.realms.saml.entraidsaml.sp.acs: "https://<NAME>/api/security/saml/callback"
xpack.security.authc.realms.saml.entraidsaml.sp.logout: "https://<NAME>/logout"
kibana.yml
xpack.security.authc.providers.basic.localauth.order: 0
xpack.security.authc.providers.saml.entraidsaml.order: 2
xpack.security.authc.providers.saml.entraidsaml.realm: entraidsaml
xpack.security.authc.providers.saml.entraidsaml.description: "<Nice text>"
xpack.security.authc.providers.saml.entraidsaml.icon: "<Nice icon>"
Role-Mapping
POST /_security/role_mapping/SAML_kibana
{
"enabled": true,
"roles": [ "<Custom role>" ],
"rules" : {
"all" : [
{
"field" : {
"realm.name" : "entraidsaml"
}
},
{
"field" : {
"groups" : [
"<GROUP NAME>"
]
}
}
]
},
"metadata": { "version": 1 }
}
The application inside Azure is configured as in the guide.
When we try to login with a user that is a member of , we are greeted with an error message
You do not have permission to access the requested page
To verify that our problem lies within the matching role, we tried the following:
- Check by creating a local user -> works fine, local user can login and see everything that is granted by that role
- Check if the SAML configuration even works by removing the groups field from the role mapping -> works, any user from the customer tenant can login and is granted the role
So we verified that both the elastic role and the SAML authentication by itself work, just including that group name like described in the guide makes it not usable.
We cannot see anything wrong here and are out of ideas on what to troubleshoot next.