Google OIDC SSO with Mapping (Google) Groups onto (Kibana) Roles

MartynF · April 30, 2021, 10:23am

Hi

We're using Elastic Cloud hosted version of the Elastic stack and attempting to integration Google SSO with OIDC.

I have the authentication working and can use role mapping with usernames to map specific users onto Roles in Kibana.

To make this more manageable and consistent with our other systems using Google OIDC, I want to manage role assignment with Google Groups e.g. assign people to 'engineers' group in Google Workplace and have them pick up the equivalent Engineers role in Kibana.

In Google Cloud Console we have the permissions set up correctly to allow the OIDC integration to pull through the groups (and this is working with Pritunl/Hashicorp Vault OK) but I'm struggling to map the groups.

I can find instructions for mapping Azure AD groups but not Google.

In elasticsearch.yml I have this:

    xpack:
      security:
        authc:
          realms:
            oidc:
              oidc1:
                order: 2
                rp.client_id: "REDACTED.apps.googleusercontent.com"
                rp.response_type: "code"
                rp.requested_scopes: ["openid", "email", "https://www.googleapis.com/auth/admin.directory.group.readonly"]
                rp.redirect_uri: "https://REDACTED.eu-west-1.aws.found.io:9243/api/security/v1/oidc"
                op.issuer: "https://accounts.google.com"
                op.authorization_endpoint: "https://accounts.google.com/o/oauth2/v2/auth"
                op.token_endpoint: "https://oauth2.googleapis.com/token"
                op.userinfo_endpoint: "https://openidconnect.googleapis.com/v1/userinfo"
                op.jwkset_path: "https://www.googleapis.com/oauth2/v3/certs"
                claims.principal: email
                claims.groups: groups
                claim_patterns.principal: "^([^@]+)@ourdomain\\.tld$"

I've then tried mapping the groups onto roles with this:

    PUT /_xpack/security/role_mapping/oidc_kibana
    {
        "enabled": true,
        "roles": [ "engineers" ],
        "rules" : {
          "all" : [
            {"field" : { "realm.name" : "oidc1" }},
            {"field": { "groups": ["engineers"] } }
          ]
        },
        "metadata": { "version": 1 }
    }

However the role doesn't appear to be assigned.

If I swap out the groups line to a list of explicit users it works as expected and assigns the Role:

{"field": { "username": ["user1","user2"] } }

Any ideas? Is there a change I need to make in elasticsearch.yml to map the groups returned by Google in the JWT?

ikakavas · May 4, 2021, 8:05am

The missing part here is how and if Google returns the group memberships in the JWT.

                claims.groups: groups

This configuration tells Elasticsearch that it should try and find a claim that is named groups in the ID Token or in the Userinfo response and get all the values from it and assign it to the groups property of the user representation in elasticsearch, so that you can later do things like

{"field": { "groups": ["engineers"] } }

in your role mappings.

From what I see in https://accounts.google.com/.well-known/openid-configuration , Google's OIDC implementation doesn't support a claim by which it conveys the users group memberships in the context of OpenID Connect, so it appears that you won't be able to do what you're after as groups are not even returned in the IDToken JWT.

MartynF · May 4, 2021, 1:05pm

Hi Ioannis,

I had assumed Google did return the Groups in their JWT as we got this functionality working ok with Hashicorp Vault product (see OIDC Provider Setup - Auth Methods | Vault by HashiCorp) however. if I'm reading their source code correctly. it looks like they had to write a specific plug-in to pull the Groups via the Google API)
https://github.com/hashicorp/vault-plugin-auth-jwt/commit/5815ce50fbffaddcc9d197d2ace3779ed6742c8d#diff-630ba09448af522154f38ef7685ef1f44b0f3e9430f80829a03ce24f400f3754

Pritunl also handles Google Groups nicely, mapping these onto their concept of Organisations: Google

So while it is technically possible, it would require more work on Elastic's side to more tightly support Google Workplace. For now I'll have to handle the mapping manually based on username rather than Groups.

Thanks for your help/investigation.

Martyn

system · June 1, 2021, 1:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Azure AD with groups in kibana and role mappings Kibana elastic-stack-security	2	326	October 4, 2022
Kibana oidc (azure) role assignment not working (too many groups) Kibana elastic-stack-security	3	269	March 1, 2024
OIDC role mapping not working Elasticsearch elastic-stack-security	3	283	February 19, 2024
Elastic Stack OIDC Google Elasticsearch elastic-stack-security	3	559	November 23, 2020
Map / grant roles defined in keycloak to elasticsearch Elasticsearch elastic-stack-security	6	1179	October 6, 2022

Google OIDC SSO with Mapping (Google) Groups onto (Kibana) Roles

Related topics