How to use ldap realm for authorisation for SAML realm

          <saml:Subject>
                  
            <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">rgujral@apple.com</saml:NameID>
                   
            <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                       
              <saml:SubjectConfirmationData InResponseTo="_7330cdc61193d9d0de5c4a749e46fac02aa639ec" NotOnOrAfter="2019-06-11T19:25:51Z" Recipient="https://gbiobserver-events-dev.corp.apple.com:443/api/security/v1/saml">
                 </saml:SubjectConfirmationData>
                    
            </saml:SubjectConfirmation>
                
          </saml:Subject>
              
          <saml:Conditions NotBefore="2019-06-11T19:20:51Z" NotOnOrAfter="2019-06-11T19:25:51Z">
                  
            <saml:AudienceRestriction>
                      
              <saml:Audience>https://gbiobserver-events-dev.corp.apple.com</saml:Audience>
                    
            </saml:AudienceRestriction>
                
          </saml:Conditions>
          	
          <saml:AuthnStatement AuthnInstant="2019-06-11T19:20:51Z" SessionIndex="A93ede02b-2e99-437f-b619-1c1aca1e7419" SessionNotOnOrAfter="2019-06-11T19:25:51Z">
                  
            <saml:AuthnContext>
                      
              <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
                    
            </saml:AuthnContext>
                
          </saml:AuthnStatement>
              
          <saml:AttributeStatement>
                  
            <saml:Attribute Name="Email">
                      
              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">rgujral@apple.com</saml:AttributeValue>
                    
            </saml:Attribute>
                  
            <saml:Attribute Name="FirstName">
                      
              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Rohit</saml:AttributeValue>
                    
            </saml:Attribute>
                  
            <saml:Attribute Name="LastName">
                      
              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Gujral</saml:AttributeValue>
                    
            </saml:Attribute>
                  
            <saml:Attribute Name="ADSID">
                      
              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">001333-04-7c6572cc-78ce-4312-add7-43a5df78a12d</saml:AttributeValue>
                    
            </saml:Attribute>
                  
            <saml:Attribute Name="Groups">
                      
              <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">10606723,10182173,10447632,10589740,1002775869</saml:AttributeValue>
                    
            </saml:Attribute>
                
          </saml:AttributeStatement>
            
        </saml:Assertion>

        [2019-06-11T19:20:54,459][TRACE][o.e.x.s.a.s.SamlAuthenticator] [es-coordinating-1] SAML Assertion: [
            Response ID: A93ede02b-2e99-437f-b619-1c1aca1e7419
            Response issued at: 2019-06-11T19:20:51.000Z
            Issuer: AppleSSO
            Number of attribute statements: 1
            Number of authentication statements: 1
        ]
        [2019-06-11T19:20:54,459][TRACE][o.e.x.s.a.s.SamlAuthenticator] [es-coordinating-1] SAML Assertion was intended for the following Service providers: https://gbiobserver-events-dev.c...
        [2019-06-11T19:20:54,459][TRACE][o.e.x.s.a.s.SamlAuthenticator] [es-coordinating-1] SAML Assertion is only valid between: 2019-06-11T19:20:51.000Z and 2019-06-11T19:25:51.000Z
        [2019-06-11T19:20:54,459][TRACE][o.e.x.s.a.s.SamlAuthenticator] [es-coordinating-1] SAML Assertion Subject Confirmation intended recipient is: https://gbiobserver-events-dev.corp.apple.com:443/api/security/v1/saml
        [2019-06-11T19:20:54,459][TRACE][o.e.x.s.a.s.SamlAuthenticator] [es-coordinating-1] SAML Assertion Subject Confirmation is only valid before: 2019-06-11T19:25:51.000Z
        [2019-06-11T19:20:54,459][TRACE][o.e.x.s.a.s.SamlAuthenticator] [es-coordinating-1] SAML Assertion Subject Confirmation is in response to: _7330cdc61193d9d0de5c4a749e46fac02aa639ec
        [2019-06-11T19:20:54,459][TRACE][o.e.x.s.a.s.SamlAuthenticator] [es-coordinating-1] SAML AttributeStatement has [5] attributes and [0] encrypted attributes
        [2019-06-11T19:20:54,459][TRACE][o.e.x.s.a.s.SamlAuthenticator] [es-coordinating-1] The SAML Assertion contained the following attributes: 
        Email=[rgujral@apple.com]
        FirstName=[Rohit]
        LastName=[Gujral]
        ADSID=[001333-04-7c6572cc-78ce-4312-add7-43a5df78a12d]
        Groups=[10606723,10182173,10447632,10589740,1002775869]

        [2019-06-11T19:20:54,460][DEBUG][o.e.x.s.a.s.SamlRealm    ] [es-coordinating-1] Parsed token [SamlToken{3c73616d6c703a526573706f6e73652044657374696e6174696f6e3d2268747470733a2f2f6762696f627365727665722d6576656e74732d6465762e636f7270...}] to attributes [SamlAttributes(NameId(urn:oasis:names:tc:SAML:2.0:nameid-format:persistent)=rgujral@apple.com)[A93ede02b-2e99-437f-b619-1c1aca1e7419]{[Email=[rgujral@apple.com], FirstName=[Rohit], LastName=[Gujral], ADSID=[001333-04-7c6572cc-78ce-4312-add7-43a5df78a12d], Groups=[10606723,10182173,10447632,10589740,1002775869]]}]
        [2019-06-11T19:20:54,463][DEBUG][o.e.x.s.a.s.m.NativeRoleMappingStore] [es-coordinating-1] Mapping user [UserData{username:rgujral@apple.com; dn:null; groups:[10606723,10182173,10447632,10589740,1002775869]; metadata:{saml(ADSID)=[001333-04-7c6572cc-78ce-4312-add7-43a5df78a12d], saml_nameid_format=urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, saml(LastName)=[Gujral], saml(Groups)=[10606723,10182173,10447632,10589740,1002775869], saml_nameid=rgujral@apple.com, saml(FirstName)=[Rohit], saml(Email)=[rgujral@apple.com]}; realm=saml1}] to roles [[]]

It would have been a little bit easier to help if you could provide all the information that we asked for instead of just a part of it.

<saml:Attribute Name="Groups"> 
   <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                                        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                                        xsi:type="xs:string">
       10606723,10182173,10447632,10589740,1002775869
    </saml:AttributeValue> 
</saml:Attribute>

The problem is the above. Your IDP is sending all your groups in a comma separated string. The usual way to send multivalued attributes in SAML is to have multiple <AttributeValue> elements. So we would expect to get:

<saml:Attribute Name="Groups"> 
   <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                                        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                                        xsi:type="xs:string">10606723</saml:AttributeValue> 
  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                                        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                                        xsi:type="xs:string">10182173</saml:AttributeValue> 
  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                                        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                                        xsi:type="xs:string">10447632</saml:AttributeValue> 
  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                                        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                                        xsi:type="xs:string">10589740</saml:AttributeValue> 
  <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                                        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                                        xsi:type="xs:string">1002775869</saml:AttributeValue>
</saml:Attribute>

and we would then parse that into an array of Strings, one for each group.

What happens now is that we parse only 1 string with the value 10606723,10182173,10447632,10589740,1002775869 and this is why the rule

{ "field": { "groups": "10606723" } }

is not matching. This would be obvious in the logs I asked if you could share with us above.

Now, your only solution as is, is to use a lucene regexp to match the value, as we describe here. Try replacing

{ "field": { "groups": "10606723" } }

with

{ "field": { "groups": "/.*10606723.*/" } }

@ikakavas. yes the regex did work for me and I told IDP to not send all drops in comma separated string.

 <saml:Attribute Name="Groups">
              
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">10606723</saml:AttributeValue>
              
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">10182173</saml:AttributeValue>
              
      <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">10447632</saml:AttributeValue>
              
            
    </saml:Attribute> 

Thanks a lot for ur help

Glad you sorted this out. If you get the IDP to start sending you the groups one per AttributeValue instead of a comma separated string, then you can go back and change

{ "field": { "groups": "/.*10606723.*/" } }

to

{ "field": { "groups": "10606723" } }

so that you don't unnecessarily use a regex

yes I'm using { "field": { "groups": "10606723" } }

As IDP has configured groups one per attribute value

1 Like