Google OIDC SSO with Mapping (Google) Groups onto (Kibana) Roles

Hi

We're using Elastic Cloud hosted version of the Elastic stack and attempting to integration Google SSO with OIDC.

I have the authentication working and can use role mapping with usernames to map specific users onto Roles in Kibana.

To make this more manageable and consistent with our other systems using Google OIDC, I want to manage role assignment with Google Groups e.g. assign people to 'engineers' group in Google Workplace and have them pick up the equivalent Engineers role in Kibana.

In Google Cloud Console we have the permissions set up correctly to allow the OIDC integration to pull through the groups (and this is working with Pritunl/Hashicorp Vault OK) but I'm struggling to map the groups.

I can find instructions for mapping Azure AD groups but not Google.

In elasticsearch.yml I have this:

    xpack:
      security:
        authc:
          realms:
            oidc:
              oidc1:
                order: 2
                rp.client_id: "REDACTED.apps.googleusercontent.com"
                rp.response_type: "code"
                rp.requested_scopes: ["openid", "email", "https://www.googleapis.com/auth/admin.directory.group.readonly"]
                rp.redirect_uri: "https://REDACTED.eu-west-1.aws.found.io:9243/api/security/v1/oidc"
                op.issuer: "https://accounts.google.com"
                op.authorization_endpoint: "https://accounts.google.com/o/oauth2/v2/auth"
                op.token_endpoint: "https://oauth2.googleapis.com/token"
                op.userinfo_endpoint: "https://openidconnect.googleapis.com/v1/userinfo"
                op.jwkset_path: "https://www.googleapis.com/oauth2/v3/certs"
                claims.principal: email
                claims.groups: groups
                claim_patterns.principal: "^([^@]+)@ourdomain\\.tld$"

I've then tried mapping the groups onto roles with this:

    PUT /_xpack/security/role_mapping/oidc_kibana
    {
        "enabled": true,
        "roles": [ "engineers" ],
        "rules" : {
          "all" : [
            {"field" : { "realm.name" : "oidc1" }},
            {"field": { "groups": ["engineers"] } }
          ]
        },
        "metadata": { "version": 1 }
    }

However the role doesn't appear to be assigned.

If I swap out the groups line to a list of explicit users it works as expected and assigns the Role:

{"field": { "username": ["user1","user2"] } }

Any ideas? Is there a change I need to make in elasticsearch.yml to map the groups returned by Google in the JWT?

The missing part here is how and if Google returns the group memberships in the JWT.

                claims.groups: groups

This configuration tells Elasticsearch that it should try and find a claim that is named groups in the ID Token or in the Userinfo response and get all the values from it and assign it to the groups property of the user representation in elasticsearch, so that you can later do things like

{"field": { "groups": ["engineers"] } }

in your role mappings.

From what I see in https://accounts.google.com/.well-known/openid-configuration , Google's OIDC implementation doesn't support a claim by which it conveys the users group memberships in the context of OpenID Connect, so it appears that you won't be able to do what you're after as groups are not even returned in the IDToken JWT.

Hi Ioannis,

I had assumed Google did return the Groups in their JWT as we got this functionality working ok with Hashicorp Vault product (see OIDC Provider Setup - Auth Methods | Vault by HashiCorp) however. if I'm reading their source code correctly. it looks like they had to write a specific plug-in to pull the Groups via the Google API)
https://github.com/hashicorp/vault-plugin-auth-jwt/commit/5815ce50fbffaddcc9d197d2ace3779ed6742c8d#diff-630ba09448af522154f38ef7685ef1f44b0f3e9430f80829a03ce24f400f3754

Pritunl also handles Google Groups nicely, mapping these onto their concept of Organisations: Google

So while it is technically possible, it would require more work on Elastic's side to more tightly support Google Workplace. For now I'll have to handle the mapping manually based on username rather than Groups.

Thanks for your help/investigation.

Martyn