Managing Workplace Search Source Role access using SAML meta data

I have successfully hooked up SAML to a workplace search cloud instance and can succesfully setup access based on the username and email attributes. I want to however use the groups attribute.

I'm using Azure AD and I have confirmed the attribute is being sent mapped via elasticsearch.yml file: attributes.groups: "http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"

I've been reading I can tap into the attributes using the metadata but I can't seem to work out the correct syntax. Anyone know what the trick is to get this to work?

Hey @matt_elastic,

Have you seen this documentation: Configuring SAML single-sign-on on the Elastic Stack | Elasticsearch Guide [7.13] | Elastic? You should be able to configure SAML groups attribute data to map to roles in Elasticsearch. Then, you can make use of those Elasticsearch roles in Workplace Search role mappings: User Management and Security | Workplace Search Guide [7.13] | Elastic.

I hope that helps. If you're still running into issues, please post whatever configuration you're using and the incorrect result you're observing, omitting or redacting anything sensitive.

Thanks
Ross