Kibana oidc (azure) role assignment not working (too many groups)

I am using Kibana/Elasticsearch with Oidc (Microsoft Azure) for authentication.
Currently I have the problem that not all defined role mappings are working correctly.
We are using Azure groups in role mappings to assign users to specific Kibana roles.

9 out of 10 users can log in and work without any problems. However, user 10 is problematic. Some users in our organization are in many AD groups >250

And then the JWT token in the groups section is empty and points to another endpoint to retrieve all groups this user is assigned to.

Microsoft Entra ID limits the number of groups that it will emit in a token to 150 for SAML assertions and 200 for JWT. If a user is a member of a larger number of groups, the groups are omitted. A link to the Microsoft Graph endpoint to obtain group information is included instead.
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-fed-group-claims#options-for-applications-to-consume-group-information

And I think Kibana does nothing with this information and thinks this user is not a member of any group.

I have also addressed this as a support case but almost a year later nothing happenend: #01312479 (5008X00002J8locQAB)

This sounds like a possible bug in the Elasticsearch modules for role mapping.

To get the proper attention on this, I would recommend filing an issue in the Elasticsearch code repository: Sign in to GitHub · GitHub

It may help to provide the declaration of your oidc realm as configured in elasticsearch.yml.

Thanks, I created an issue: Kibana oidc (azure) role assignment not working (too many groups) · Issue #105058 · elastic/elasticsearch · GitHub

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.