Kibana SAML SSO Issue with spaces - "unauthorized to GetAll spaces"

techguy20 · February 14, 2022, 10:00pm

Kibana 7.17 - self managed instance

We have SAML SSL working well Azure. We have 3 roles defined kibana.
user, superuser, restricted_spaces_user,

Within the Enterprise App, the values are all assigned to the different User groups :
Sec_group_user = user
Sec_group_admin = superuser
Sec_group_restricted = restricted_spaces_user

The role mappings are defined in kibana and the roles are mapped to spaces as required.
The user is "You do not have permission to access the requested page"

The issue encountered is the role 'restricted_spaces_user' is generating an error in kibana.yml

<"eventType":"spaces_authorization_failure","username":john.doe@email.com","action":"getAll","message":"john.doe@email.com unauthorized to getAll spaces"/>

I cant see where this is going wrong and why its not returning the single space that they are assigned.

wa7son · February 23, 2022, 10:04am

Hi,

Sorry to hear about the issue you're facing.

Unless you've encountered a bug, the issue here is that the restricted_spaces_user is trying to load a page in Kibana which the user does not have permissions to see. So it's probably related to the roles the user has.

Can you please verify when exactly this error screen is show? Does it happen right after the restricted_spaces_user has logged in before seeing the Kibana home screen? If not, which page is the user trying to navigate to when seeing this error screen?

Regards,
Thomas

techguy20 · February 23, 2022, 1:00pm

I enabled trace logs and was able to identify the issue being related to the '_' underscore. I changed all our role values to hyphens and the issue is resolved.

Support also mentioned that the UUID from the group in Azure can also be used

wa7son · February 24, 2022, 6:25am

Great to hear that you were able to solve the issue

system · March 24, 2022, 6:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.