How to Azure Entra ID Groups for SAML SSO?

Following these docs:

Config:

xpack:
  security:
    authc:
      realms:
        saml:
          saml1:
            order: 3
            attributes.dn: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
            attributes.principal: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
            attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"
            idp.metadata.path: "https://login.microsoftonline.com/UUID/federationmetadata/2007-06/federationmetadata.xml?appid=UUID"
            idp.entity_id: "https://sts.windows.net/UUID-e1d-9540-UUID/"
            sp.entity_id: "https://elastic-kibana-development.example.com"
            sp.acs: "https://elastic-kibana-development.example.com/api/security/saml/callback"
            sp.logout: "https://elastic-kibana-development.elastic.com/logout"

Have an app in Azure Entra ID, with a group Named Admins

Created a rolemapping to associate superuser to groups to the Admin group...

When I click kibana SSO.. I go through the Microsoft SSO login process but fails with You do not have permission to access the requested page.

How do I pass the groups form Azure into Elastic role mapping?

Thank you.

You haven't provided enough information for us to know where this is failing.

It could be in your Entra ID config, or in your elasticsearch.yml config, or in your role mapping.

Please provide a complete description of what you have configured so we can look any possible issues.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.